whonix: Lockdown network if not connected to a tor-newvm

2014-11-11 13:41:42 -05:00 · 2014-11-11 13:41:42 -05:00 · d92d6d1577
commit d92d6d1577
parent 356f49d779
4 changed files with 28 additions and 8 deletions
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml
@ -7,6 +7,3 @@ update:
      <p><B>Tor netvm required for updates!</B></p>
      <p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
      <p>No updates are possible without an active (running) Whonix gateway VM.</p>
-      <p/>
-      <p><b>Template will now power off</b></p>
-
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
    fi

 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
+    # Set secure defaults.
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT DROP
+
+    # Flush old rules.
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+
+    # Display warning that netvm is not connected to a torvm
    /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
-    #sudo /sbin/poweroff 
 fi
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml
@ -7,6 +7,3 @@ update:
      <p><B>Tor netvm required for updates!</B></p>
      <p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
      <p>No updates are possible without an active (running) Whonix gateway VM.</p>
-      <p/>
-      <p><b>Template will now power off</b></p>
-
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
    fi

 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
+    # Set secure defaults.
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT DROP
+
+    # Flush old rules.
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+
+    # Display warning that netvm is not connected to a torvm
    /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
-    #sudo /sbin/poweroff 
 fi