#!/bin/bash if [ -x /usr/sbin/xenstore-read ]; then XENSTORE_READ="/usr/sbin/xenstore-read" else XENSTORE_READ="/usr/bin/xenstore-read" fi INTERFACE="eth1" ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) # Create a dummy eth1 interface so tor can bind to it if there # are no DOMU virtual machines connected at the moment ip link show ${INTERFACE} >> /dev/null || { /sbin/ip link add ${INTERFACE} type dummy # Now, assign it the netvm-gateway IP address if [ x${ip} != x ]; then netmask=$(${XENSTORE_READ} qubes-netvm-netmask) gateway=$(${XENSTORE_READ} qubes-netvm-gateway) /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 /sbin/ifconfig ${INTERFACE} up /sbin/ethtool -K ${INTERFACE} sg off /sbin/ethtool -K ${INTERFACE} tx off fi } # Files that will have the immutable bit set # since we don't want them modified by other programs IMMUTABLE_FILES=( '/etc/resolv.conf' '/etc/hostname' '/etc/hosts' ) immutableFilesEnable() { files="${1}" suffix="${2}" for file in "${files[@]}"; do if [ -f "${file}" ] && ! [ -L "${file}" ]; then chattr +i "${file}${suffix}" fi done } immutableFilesDisable() { files="${1}" suffix="${2}" for file in "${files[@]}"; do if [ -f "${file}" ] && ! [ -L "${file}" ]; then chattr -i "${file}${suffix}" fi done } copyAnondist() { file="${1}" suffix="${2-.anondist}" # Remove any softlinks first if [ -L "${file}" ]; then rm -f "${file}" fi if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then chattr -i "${file}" rm -f "${file}" cp -p "${file}${suffix}" "${file}" chattr +i "${file}" elif ! [ -f "${file}" ]; then cp -p "${file}${suffix}" "${file}" chattr +i "${file}" fi } # Make sure all .anondist files in list are immutable immutableFilesEnable "${IMMUTABLE_FILES}" immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" # Make sure we are using a copy of the annondist file and if not # copy the annondist file and set it immutable copyAnondist "/etc/resolv.conf" copyAnondist "/etc/hosts" copyAnondist "/etc/hostname" # Replace IP addresses in known configuration files / scripts to # currently discovered one /usr/lib/whonix/replace-ips # Make sure hostname is correct /bin/hostname -b host # Start Whonix Firewall export INT_IF="vif+" export INT_TIF="vif+" /usr/bin/whonix_firewall # Route any traffic FROM netvm TO netvm BACK-TO localhost # Allows localhost access to tor network iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 enable() { servicename=${1} grep "^DisableNetwork 0$" /etc/tor/torrc && { # Check to see if the service is already enabled and if not, enable it string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" if ! [ $(find $string 2>/dev/null | wc -l) -eq 1 ] ; then echo "${1} is currently disabled; enabling it" systemctl --quiet enable ${servicename} fi } } #enable tor #enable whonixcheck #enable sdwdate