QubesOS/qubes-linux-template-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

whonix: Added ability to be able to update templates via tor proxy. Firewall rules not working yet on gateway

Browse Source
This commit is contained in:
Jason Mehring 2014-11-04 00:01:13 -05:00
parent 422dcc9c24
commit d6d22e875e
7 changed files with 27 additions and 277 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
View File

@ -42,5 +42,5 @@ elif [ "${WHONIX}" == "workstation" ]; then
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
sudo /sbin/poweroff #sudo /sbin/poweroff
fi fi

28
scripts_debian/wheezy+whonix-workstation/files/.facl
View File

@ -33,6 +33,27 @@ user::rw-
group::r-- group::r--
other::r-- other::r--
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/udev # file: etc/udev
# owner: root # owner: root
# group: root # group: root
@ -117,13 +138,6 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/tests.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml # file: usr/lib/whonix/messages.yaml
# owner: root # owner: root
# group: root # group: root

2
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
View File

@ -42,5 +42,5 @@ elif [ "${WHONIX}" == "workstation" ]; then
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
sudo /sbin/poweroff #sudo /sbin/poweroff
fi fi

95
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh
View File

@ -1,95 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
#disable_sysv tor
#disable_sysv sdwdate
iptables -F
iptables -t nat -F
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
# Remap ALL traffic
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -v -L
#iptables -v -t nat -L
#telnet 127.0.0.1 9105
#telnet 10.137.2.1 8082
#telnet 127.0.0.1 8082
#tail -100 /var/log/kern.log

9
scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh
View File

@ -34,10 +34,9 @@ if [ "${SNAPSHOT}" == "1" ]; then
fi fi
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# chroot Whonix build script (Make sure set -e is not set) # chroot Whonix build script
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' || true
################################################################################ ################################################################################
# Pre Fixups # Pre Fixups
sudo mkdir -p /boot/grub2 sudo mkdir -p /boot/grub2
@ -82,7 +81,7 @@ EOF
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Pin grub so it won't install # Pin grub so it won't install
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
read -r -d '' WHONIX_APT_PIN <<'EOF' read -r -d '' WHONIX_APT_PIN <<'EOF' || true
Package: grub-pc Package: grub-pc
Pin: version * Pin: version *
Pin-Priority: -100 Pin-Priority: -100
@ -103,7 +102,7 @@ EOF
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Set defualts for apt not to install recommended or extra packages # Set defualts for apt not to install recommended or extra packages
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' || true
Acquire::Languages "none"; Acquire::Languages "none";
APT::Install-Recommends "false"; APT::Install-Recommends "false";
APT::Install-Suggests "false"; APT::Install-Suggests "false";

157
scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d
View File

@ -1,157 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# XXX: Create a snapshot - Only for DEBUGGING!
# ------------------------------------------------------------------------------
# Only execute if SNAPSHOT is set
if [ "${SNAPSHOT}" == "1" ]; then
splitPath "${IMG}" path_parts
PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}"
if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
umount_kill "${INSTALLDIR}" || :
warn "Copying ${IMG} to ${PREPARED_IMG}"
cp -f "${IMG}" "${PREPARED_IMG}"
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done
fi
fi
# ------------------------------------------------------------------------------
# Set defualts for apt not to install recommended or extra packages
# ------------------------------------------------------------------------------
#read -r -d '' WHONIX_APT_PREFERENCES <<'EOF'
#Acquire::Languages "none";
#APT::Install-Recommends "false";
#APT::Install-Suggests "false";
#Dpkg::Options "--force-confold";
#EOF
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function cleanup() {
error "Whonix error; umounting ${INSTALLDIR} to prevent further writes"
umount_kill "${INSTALLDIR}" || :
exit 1
}
trap cleanup ERR
trap cleanup EXIT
# ------------------------------------------------------------------------------
# Mount devices, etc required for Whonix installation
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
info "Preparing Whonix system"
# --------------------------------------------------------------------------
# Qubes needs a user named 'user'
# --------------------------------------------------------------------------
debug "Whonix Add user"
chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \
{
chroot "${INSTALLDIR}" groupadd -f user
chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
}
# ------------------------------------------------------------------------------
# Copy over any extra files
# ------------------------------------------------------------------------------
copyTree "files"
touch "${INSTALLDIR}/tmp/.whonix_prepared"
fi
# ------------------------------------------------------------------------------
# Install Whonix
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then
info "Installing Whonix system"
# ------------------------------------------------------------------------------
# Create Whonix mount point
# ------------------------------------------------------------------------------
if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
debug "Installing Whonix build environment..."
chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix'
fi
# --------------------------------------------------------------------------
# Install Whonix code base
# --------------------------------------------------------------------------
if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
debug "Building Whonix..."
mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix"
sync
sleep 1
fi
# ------------------------------------------------------------------------------
# Determine type of Whonix build
# ------------------------------------------------------------------------------
if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
BUILD_TYPE="--torgateway"
elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then
BUILD_TYPE="--torworkstation"
else
error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules"
error "You need to set TEMPLATE_FLAVOR environment variable to either"
error "whonix-gateway OR whonix-workstation"
exit 1
fi
# ------------------------------------------------------------------------------
# Start Whonix build process
# ------------------------------------------------------------------------------
chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; }
touch "${INSTALLDIR}/tmp/.whonix_installed"
touch "${INSTALLDIR}/tmp/.whonix_post"
fi
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor scripts
# ------------------------------------------------------------------------------
buildStep "99_custom_configuration.sh"
# ------------------------------------------------------------------------------
# Bring back original apt-get for installation of Qubues
# ------------------------------------------------------------------------------
pushd "${INSTALLDIR}/usr/bin"
{
rm -f apt-get;
cp -p apt-get.anondist-orig apt-get;
}
popd
# ------------------------------------------------------------------------------
# Make sure the temporary policy-rc.d to prevent apt from starting services
# on package installation is still active; Whonix may have reset it
# ------------------------------------------------------------------------------
cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh
return 101 # Action forbidden by policy
EOF
chmod 755 "${INSTALLDIR}/usr/sbin/policy-rc.d"
# ------------------------------------------------------------------------------
# Leave cleanup to calling function
# ------------------------------------------------------------------------------
trap - ERR EXIT
trap

11
scripts_debian/wheezy+whonix/packages_wheezy.list
View File

@ -1,14 +1,3 @@
gnome-terminal
locales
sudo
dmsetup
psmisc
ncurses-term
xserver-xorg-core
x11-xserver-utils
xinit
acpid
git git
curl curl
sudo sudo