commit f201878306730677591d08ad6f09965910b97e61 Author: Jacob Appelbaum jacob@appelbaum.net Date: Thu Aug 18 17:06:50 2011 +0200
update torouter_config.sh to copy files --- ...3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key | Bin 0 -> 3742 bytes .../configs/apt-preferences.d-backports | 3 + packages/torouter-prep/configs/armrc.sample.gz | Bin 0 -> 3633 bytes packages/torouter-prep/configs/dnsmasq.conf | 3 +- packages/torouter-prep/configs/inittab | 70 +++++++++++ packages/torouter-prep/configs/interfaces | 10 +- .../configs/modprobe.d-blacklist.conf | 26 ++++ packages/torouter-prep/configs/ntp.conf | 55 ++++++++ packages/torouter-prep/configs/torrc | 31 +++-- packages/torouter-prep/configs/ttdnsd-default | 17 +++ packages/torouter-prep/src/torouter_config.sh | 131 +++++++------------- 11 files changed, 242 insertions(+), 104 deletions(-)
diff --git a/packages/torouter-prep/configs/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key b/packages/torouter-prep/configs/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key new file mode 100644 index 0000000..5b6a4d3 Binary files /dev/null and b/packages/torouter-prep/configs/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key differ diff --git a/packages/torouter-prep/configs/apt-preferences.d-backports b/packages/torouter-prep/configs/apt-preferences.d-backports new file mode 100644 index 0000000..8e9275b --- /dev/null +++ b/packages/torouter-prep/configs/apt-preferences.d-backports @@ -0,0 +1,3 @@ +Package: * +Pin: release a=squeeze-backports +Pin-Priority: 200 diff --git a/packages/torouter-prep/configs/armrc.sample.gz b/packages/torouter-prep/configs/armrc.sample.gz new file mode 100644 index 0000000..c86b6f1 Binary files /dev/null and b/packages/torouter-prep/configs/armrc.sample.gz differ diff --git a/packages/torouter-prep/configs/dnsmasq.conf b/packages/torouter-prep/configs/dnsmasq.conf index 8845e80..2711486 100644 --- a/packages/torouter-prep/configs/dnsmasq.conf +++ b/packages/torouter-prep/configs/dnsmasq.conf @@ -83,9 +83,10 @@ no-poll # interface (eg eth0) here. # Repeat the line for more than one interface. interface=eth1 -#interface=uap0 +interface=uap0 # Or you can specify which interface _not_ to listen on except-interface=eth0 +except-interface=lo # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) #listen-address= diff --git a/packages/torouter-prep/configs/inittab b/packages/torouter-prep/configs/inittab new file mode 100644 index 0000000..98dca83 --- /dev/null +++ b/packages/torouter-prep/configs/inittab @@ -0,0 +1,70 @@ +# /etc/inittab: init(8) configuration. +# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $ + +# The default runlevel. +id:2:initdefault: + +# Boot-time system configuration/initialization script. +# This is run first except when booting in emergency (-b) mode. +si::sysinit:/etc/init.d/rcS + +# What to do in single-user mode. +~~:S:wait:/sbin/sulogin + +# /etc/init.d executes the S and K scripts upon change +# of runlevel. +# +# Runlevel 0 is halt. +# Runlevel 1 is single-user. +# Runlevels 2-5 are multi-user. +# Runlevel 6 is reboot. + +l0:0:wait:/etc/init.d/rc 0 +l1:1:wait:/etc/init.d/rc 1 +l2:2:wait:/etc/init.d/rc 2 +l3:3:wait:/etc/init.d/rc 3 +l4:4:wait:/etc/init.d/rc 4 +l5:5:wait:/etc/init.d/rc 5 +l6:6:wait:/etc/init.d/rc 6 +# Normally not reached, but fallthrough in case of emergency. +z6:6:respawn:/sbin/sulogin + +# What to do when CTRL-ALT-DEL is pressed. +ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now + +# Action on special keypress (ALT-UpArrow). +#kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work." + +# What to do when the power fails/returns. +pf::powerwait:/etc/init.d/powerfail start +pn::powerfailnow:/etc/init.d/powerfail now +po::powerokwait:/etc/init.d/powerfail stop + +# /sbin/getty invocations for the runlevels. +# +# The "id" field MUST be the same as the last +# characters of the device (after "tty"). +# +# Format: +# <id>:<runlevels>:<action>:<process> +# +# Note that on most Debian systems tty7 is used by the X Window System, +# so if you want to add more getty's go ahead but skip tty7 if you run X. +# +1:2345:respawn:/sbin/getty 38400 tty1 +#2:23:respawn:/sbin/getty 38400 tty2 +#3:23:respawn:/sbin/getty 38400 tty3 +#4:23:respawn:/sbin/getty 38400 tty4 +#5:23:respawn:/sbin/getty 38400 tty5 +#6:23:respawn:/sbin/getty 38400 tty6 + +# Example how to put a getty on a serial line (for a terminal) +# +#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 +#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100 + +# Example how to put a getty on a modem line. +# +#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3 + +T0:2345:respawn:/sbin/getty -L ttyS0 115200 linux diff --git a/packages/torouter-prep/configs/interfaces b/packages/torouter-prep/configs/interfaces index d1a5fa6..903bdb4 100644 --- a/packages/torouter-prep/configs/interfaces +++ b/packages/torouter-prep/configs/interfaces @@ -30,9 +30,9 @@ iface uap0 inet static broadcast 172.16.23.255 pre-up ifconfig uap0 hw ether 00:66:66:66:66:66 post-up /etc/init.d/tor reload - #post-up /etc/init.d/udhcpd restart post-up /etc/init.d/dnsmasq restart - post-up /root/tor-wireless-firewall.sh - post-up /root/uaputl/uaputl sys_cfg_ssid "torproject" - post-up /root/uaputl/uaputl bss_start - pre-down /root/uaputl/uaputl bss_stop + post-up /etc/init.d/ttdnsd restart + post-up /usr/bin/uaputl sys_cfg_ssid "torproject" + post-up /usr/bin/uaputl bss_start + post-up /usr/share/torouter-prep/example-configs/tor-wireless-firewall.sh + pre-down /usr/bin/uaputl bss_stop diff --git a/packages/torouter-prep/configs/modprobe.d-blacklist.conf b/packages/torouter-prep/configs/modprobe.d-blacklist.conf new file mode 100644 index 0000000..87c6fbe --- /dev/null +++ b/packages/torouter-prep/configs/modprobe.d-blacklist.conf @@ -0,0 +1,26 @@ +# This file lists modules which will not be loaded as the result of +# alias expansion, with the purpose of preventing the hotplug subsystem +# to load them. It does not affect autoloading of modules by the kernel. +# This file is provided by the udev package. + +# evbug is a debug tool and should be loaded explicitly +blacklist evbug + +# these drivers are very simple, the HID drivers are usually preferred +blacklist usbmouse +blacklist usbkbd + +# replaced by e100 +blacklist eepro100 + +# replaced by tulip +blacklist de4x5 + +# replaced by tmscsim +blacklist am53c974 + +# these watchdog drivers break some systems +blacklist iTCO_wdt + + +blacklist ipv6 diff --git a/packages/torouter-prep/configs/ntp.conf b/packages/torouter-prep/configs/ntp.conf new file mode 100644 index 0000000..cb7d021 --- /dev/null +++ b/packages/torouter-prep/configs/ntp.conf @@ -0,0 +1,55 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: http://www.pool.ntp.org/join.html +server 0.debian.pool.ntp.org iburst +server 1.debian.pool.ntp.org iburst +server 2.debian.pool.ntp.org iburst +server 3.debian.pool.ntp.org iburst + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page http://support.ntp.org/bin/view/Support/AccessRestrictions +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery +restrict -6 default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient diff --git a/packages/torouter-prep/configs/torrc b/packages/torouter-prep/configs/torrc index b4c5de3..7a12e73 100644 --- a/packages/torouter-prep/configs/torrc +++ b/packages/torouter-prep/configs/torrc @@ -35,7 +35,7 @@ SocksListenAddress 127.0.0.1 # accept connections only from localhost ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log Log notice file /var/log/tor/notices.log ## Send every possible message to /var/log/tor/debug.log -Log debug file /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log ## Use the system log instead of Tor's logfiles #Log notice syslog ## To send all messages to stderr: @@ -67,8 +67,9 @@ DataDirectory /var/lib/tor ## HiddenServicePort x y:z says to redirect requests on port x to the ## address y:z.
-HiddenServiceDir /var/lib/tor/hidden_service/ -HiddenServicePort 22 127.0.0.1:22 +# Uncomment this to allow ssh access to the Torouter over your own Hidden Service +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 22 127.0.0.1:22
#HiddenServiceDir /var/lib/tor/other_hidden_service/ #HiddenServicePort 80 127.0.0.1:80 @@ -78,16 +79,15 @@ HiddenServicePort 22 127.0.0.1:22 # ## See https://www.torproject.org/docs/tor-doc-relay for details.
-## Required: what port to advertise for incoming Tor connections. -ORPort 9001 +### Required: what port to advertise for incoming Tor connections. +ORPort 9001 ## If you want to listen on a port other than the one advertised ## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the ## line below too. You'll need to do ipchains or other port forwarding ## yourself to make this work. #ORListenAddress 0.0.0.0:9090 - -## A handle for your relay, so people don't have to refer to it by key. -#Nickname ididnteditheconfig +#ORListenAddress 0.0.0.0:9090 +Nickname Torouter
## The IP address or full DNS name for your relay. Leave commented out ## and Tor will guess. @@ -150,9 +150,10 @@ ORPort 9001 ## ISP is filtering connections to all the known Tor relays, they probably ## won't be able to block all the bridges. Also, websites won't treat you ## differently because they won't know you're running Tor. If you can -## be a real relay, please do; but if not, be a bridge! -#BridgeRelay 1 +# be a real relay, please do; but if not, be a bridge! ExitPolicy reject *:* +ExitPolicy accept *:* +
AvoidDiskWrites 1
@@ -160,14 +161,16 @@ AvoidDiskWrites 1 VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 -TransListenAddress 172.16.23.1 +TransListenAddress 172.16.23.1 DNSPort 5353 -DNSListenAddress 172.16.23.1 +DNSListenAddress 172.16.23.1 +DNSListenAddress 127.0.0.1:53
User debian-tor
-PortForwarding 1 -PortForwardingHelper /usr/local/bin/tor-fw-helper +# By default we do not have PortForwarding support +# PortForwarding 1 +# PortForwardingHelper /usr/local/bin/tor-fw-helper
PIDFile /var/run/tor/tor.pid
diff --git a/packages/torouter-prep/configs/ttdnsd-default b/packages/torouter-prep/configs/ttdnsd-default new file mode 100755 index 0000000..0a22bc4 --- /dev/null +++ b/packages/torouter-prep/configs/ttdnsd-default @@ -0,0 +1,17 @@ +# /etc/default/ttdnsd + +# Address to bind to - usually this should be 127.0.0.1 +# unless a copy of ttdnsd runs on 127.0.0.n +ADDR_ARG="-b 172.16.23.1" + +# Port to listen on - almost always this should be port 53 +# unless an additional local DNS cache (like unbound, dnscache, pdnsd) +# listen on port 53 as system resolver and is used in front of ttdnsd +# for caching purposes. +PORT_ARG="-p 5354" + +# Debug logging +# DEBUG_LOGGING="-l" + +# Glue all of it together below +DEFAULTS="$ADDR_ARG $PORT_ARG" diff --git a/packages/torouter-prep/src/torouter_config.sh b/packages/torouter-prep/src/torouter_config.sh index 7c79862..aec9b48 100644 --- a/packages/torouter-prep/src/torouter_config.sh +++ b/packages/torouter-prep/src/torouter_config.sh @@ -1,60 +1,47 @@ #!/bin/bash -x
+export VERSION="0.1" + echo "This program will reconfigure your Debian system into a Torouter" exit 0 echo "This is where we'd take over the entire Torouter system"
# For every file we touch, move it to the temp_dir and then tar it up in the end -temp_dir="`mktemp -d`" -config_dir="/usr/share/doc/torouter-prep/example-configs/" +export temp_dir="`mktemp -d`" +export config_dir="/usr/share/doc/torouter-prep/example-configs/"
-# Add a user -ADMINUSER="toradmin" -ADMINGROUP="toradmin" +# Add a user to administrate the Torouter later +export ADMINUSER="torouter" +export ADMINGROUP="torouter"
-# Install the Tor repo key -gpg --keyserver keys.gnupg.net --recv 886DDD89 -gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - +addgroup $ADMINGROUP +useradd -g $ADMINGROUP -s /bin/bash $ADMINUSER
-cp /etc/hosts $temp_dir/ -# Stomp on the hosts file -cat << EOF > /etc/hosts -127.0.0.1 localhost -EOF +# Install the Tor repo key +# gpg --keyserver keys.gnupg.net --recv 886DDD89 +# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - +apt-get add $config_dir/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key
-cp /etc/hostname $temp_dir/ -# Set us to have a default host name -cp /usr/share/doc/ +# Set us to have a default host name and hosts file +cp $config_dir/hostname /etc/hostname +cp $config_dir/hosts /etc/hosts
# We need to prep apt to understand that we want packages from other repos -# We append to the current package list -cat << EOF >> /etc/apt/sources.list -# Tor's debian package repo: -deb http://deb.torproject.org/torproject.org squeeze main -deb http://deb.torproject.org/torproject.org experimental-squeeze main - -# Add Debian backports for OpenNTPD, libminiupnpc-dev, libminiupnpc5 -# http://packages.debian.org/squeeze-backports/libminiupnpc-dev -deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free - -# Add Debian experimental for libnatpmp0 -# http://packages.debian.org/experimental/libnatpmp0 -deb http://ftp.debian.org/debian experimental main -deb-src http://ftp.debian.org/debian experimental main - -EOF +cp $config_dir/sources.list /etc/apt/sources.list
# We're creating this file to ensure we get updates -cat << 'EOF' > /etc/apt/preferences.d/backports -Package: * -Pin: release a=squeeze-backports -Pin-Priority: 200 -EOF +cp $config_dir/apt-preferences.d-backports /etc/apt/preferences.d/backports
apt-get -y update
+# Remove a bunch of stuff: +apt-get -y remove exim4-base exim4-config exim4-daemon-light dbus + +# Install the weird wireless control for the DreamPlug +apt-get install -y -t sid uaputl + # Install some other packages here: -apt-get -y install denyhosts ufw +apt-get -y install denyhosts ufw
# Allow us to set the clock: apt-get -y -t squeeze-backports install openntpd @@ -63,6 +50,7 @@ apt-get -y -t squeeze-backports install openntpd apt-get -y install tor tor-geoipdb
# To build with natpmp support +apt-get -y -t experimental install libnatpmp-dev apt-get -y -t experimental install libnatpmp0
# To build with miniupnpc support @@ -76,6 +64,9 @@ apt-get -y -t squeeze-backports install libminiupnpc5 # Install a Tor controller: apt-get -y install tor-arm
+# Install the ttdnsd program: +apt-get -y install ttdnsd + # Install a normal dns cache for eth1 apt-get -y install dnsmasq
@@ -84,65 +75,36 @@ apt-get -y install dnsmasq ##
# Configure arm -zcat /usr/share/doc/tor-arm/armrc.sample.gz > ~$(ADMINUSER)/.armrc -# XXX This is where we will call torrc-takeover.py when it is packaged +zcat $config_dir/armrc.sample.gz > ~$(ADMINUSER)/.armrc
-# XXX We should reconfigure /etc/inittab here +# Reconfigure /etc/inittab here +cp $config_dir/inittab /etc/inittab
# Configure the network # eth0 is our "internet" interface with a dhcp client -cat << 'EOF' > /etc/network/interfaces -# The primary network interface -allow-hotplug eth0 -iface eth0 inet dhcp +cp $config_dir/interfaces /etc/network/interfaces
-# -# XXX Configure eth1 and ap0 here -# +# Configure dnsmasq +cp $config_dir/dnsmasq.conf /etc/dnsmasq.conf
-EOF +# Configure ntp +cp $config_dir/ntp.conf /etc/ntp.conf
# XXX We should configure ufw here -# ufw allow # XXX We should configure denyhosts -# XXX We should configure dnsmasq -# XXX We should configure the DHCP server here - -cp /etc/tor/torrc $temp_dir/ -# configure Tor and stomp on the current Tor config -cat << 'EOF' > /etc/tor/torrc -# Run Tor as a bridge/relay only, not as a client -SocksPort 0 - -# What port to advertise for incoming Tor connections -ORPort 443
-# We're on a flash file system -AvoidDiskWrites 1 +cp $config_dir/torrc /etc/tor/torrc +cp $config_dir/ttdnsd-default /etc/default/ttdnsd
-# Be a bridge -BridgeRelay 1 +# Configure sshd +cp $config_dir/sshd_config /etc/ssh/sshd_config
-# Rate limited -BandwidthRate 50KB - -# Don't allow any Tor traffic to exit -Exitpolicy reject *:* - -# Allow a controller (tor-arm) on this system to configure Tor: -ControlPort 9051 -ControlListenAddress 127.0.0.1:9051 -CookieAuthentication 1 -EOF - -# Remove a bunch of stuff: -apt-get -y remove exim4-base exim4-config exim4-daemon-light dbus +# Clean up our cache +apt-get -y clean
-## Disable ipv6 support -cp /etc/sysctl.d/disableipv6.conf $temp_dir/ +## Disable ipv6 support for now +cp $config_dir/modprobe.d-blacklist.conf /etc/modprobe.d/blacklist.conf echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf -cp /etc/sshd_config $temp_dir/ -echo "AddressFamily inet" >> /etc/ssh/ssh_config
## ## Restart services here @@ -150,9 +112,10 @@ echo "AddressFamily inet" >> /etc/ssh/ssh_config
/etc/init.d/ssh restart /etc/init.d/tor restart +/etc/init.d/ttdnsd restart
## ## Touch a stamp to show that we're now a Torouter ##
-echo "torouter" > /etc/torouter +echo "torouter $VERSION" > /etc/torouter
tor-commits@lists.torproject.org