From d92d6d1577f012454d7b235cc73e4ce8e3f9b844 Mon Sep 17 00:00:00 2001
From: Jason Mehring <nrgaway@gmail.com>
Date: Tue, 11 Nov 2014 13:41:42 -0500
Subject: [PATCH] whonix: Lockdown network if not connected to a tor-newvm

---
 .../files/usr/lib/whonix/messages.yaml            |  3 ---
 .../files/usr/lib/whonix/qubes-whonixsetup        | 15 ++++++++++++++-
 .../files/usr/lib/whonix/messages.yaml            |  3 ---
 .../files/usr/lib/whonix/qubes-whonixsetup        | 15 ++++++++++++++-
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml
index d3be464..075ab09 100644
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml
@@ -7,6 +7,3 @@ update:
       <p><B>Tor netvm required for updates!</B></p>
       <p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
       <p>No updates are possible without an active (running) Whonix gateway VM.</p>
-      <p/>
-      <p><b>Template will now power off</b></p>
-
diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
index 814af62..edb6240 100755
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
@@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
     fi
 
 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
+    # Set secure defaults.
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT DROP
+
+    # Flush old rules.
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+
+    # Display warning that netvm is not connected to a torvm
     /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
-    #sudo /sbin/poweroff 
 fi
diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml
index d3be464..075ab09 100644
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml
@@ -7,6 +7,3 @@ update:
       <p><B>Tor netvm required for updates!</B></p>
       <p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
       <p>No updates are possible without an active (running) Whonix gateway VM.</p>
-      <p/>
-      <p><b>Template will now power off</b></p>
-
diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
index 814af62..edb6240 100755
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
@@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
     fi
 
 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
+    # Set secure defaults.
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT DROP
+
+    # Flush old rules.
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+
+    # Display warning that netvm is not connected to a torvm
     /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
-    #sudo /sbin/poweroff 
 fi