New version TORtle v0.8

Probably now it does everything it should.
2015-08-30 22:52:13 +02:00 · 2015-08-30 22:52:13 +02:00 · ad72dc6b81
parent 2200cfb041
commit ad72dc6b81
1 changed files with 145 additions and 52 deletions
--- a/modules/tortle
+++ b/modules/tortle
@ -1,7 +1,8 @@
 #!/bin/bash /usr/lib/turtle/turtle_module
-VERSION="0.6"
+VERSION="0.8"
 DESCRIPTION="TORtle - TOR Turtle Gateway + TOR hidden SHELL/Service"
 AUTHOR="Shad"
+CONF="/tmp/tortle.form"

 : ${DIALOG_OK=0}
 : ${DIALOG_CANCEL=1}
@ -11,27 +12,52 @@ AUTHOR="Shad"
 : ${DIALOG_ESC=255}

 function tortlecfg {
-	if [ "$(uci get tortle.version)" != "0.6" ]; then
+	if [ "$(uci get tortle.version)" != "0.8" ]; then
 		rm /etc/config/tortle
 	fi
 	if [ ! -e "/etc/config/tortle" ]; then
 		touch /etc/config/tortle
-		uci set tortle.version="0.6"
-		uci set tortle.socksip="172.16.84.1"
+		uci set tortle.version="0.8"
+		uci set tortle.enableproxy="1"
+		uci set tortle.enabletrans="1"
+		uci set tortle.transport="9040"
+		uci set tortle.socksip="172.16.84.1"   # deprecated
 		uci set tortle.socksport="5090"
 		uci set tortle.tport="22"
 		uci set tortle.lport="22"
 		uci set tortle.forwarding="1"
+		uci set tortle.enablehidden="1"
 		uci set tortle.hiddendir="/etc/tor/hidden"
+		uci set tortle.enablehidden2="0"
+		uci set tortle.hiddendir2="etc/tor/hidden2"
+		uci set tortle.dnsport="9053"
+		uci set tortle.enablecontrol="0"
+		uci set tortle.controlport="9051"
+		uci set tortle.controladdr="172.16.84.1"	# deprecated
+		uci set tortle.hashedpass="16:D2237CB1DA58774A60EF13100BEFEDE024F5C49BA674CE2BEA1032EC38"	# default: test
+		uci set tortle.gateway="0"
 		uci commit tortle
        fi

-	tortle_tport="$(uci get tortle.tport)"
-	tortle_lport="$(uci get tortle.lport)"
-	tortle_socksip="$(uci get tortle.socksip)"
-	tortle_socksport="$(uci get tortle.socksport)"
-	tortle_forwarding="$(uci get tortle.forwarding)"
-	tortle_hiddendir="$(uci get tortle.hiddendir)"
+	tortle_tport="$(uci get tortle.tport)"			# * customizable
+	tortle_lport="$(uci get tortle.lport)"			# * customizable
+	tortle_socksip="$(uci get network.lan.ipaddr)"  	# Use network.lan.ipaddr
+	tortle_socksport="$(uci get tortle.socksport)"		# Use standard default
+	tortle_forwarding="$(uci get tortle.forwarding)" 	# * customizable 
+	tortle_enablehidden="$(uci get tortle.enablehidden)"	# * customizable
+	tortle_hiddendir="$(uci get tortle.hiddendir)"		# 
+	tortle_enablehidden2="$(uci get tortle.enablehidden2)"	# Reserved for future use
+	tortle_hiddendir2="$(uci get tortle.hiddendir2)"	# Reserved for future use
+	tortle_dnsport="$(uci get tortle.dnsport)"		# Use standard default
+	tortle_enableproxy="$(uci get tortle.enableproxy)"	# * customizable
+	tortle_enabletrans="$(uci get tortle.enabletrans)"	# * customizable
+	tortle_transport="$(uci get tortle.transport)"		# Use standard default
+	tortle_enablecontrol="$(uci get tortle.enablecontrol)"	# * customizable
+	tortle_controlport="$(uci get tortle.controlport)"	# Use standard default
+	tortle_controladdr="$(uci get network.lan.ipaddr)"	# Use network.lan.ipaddr
+	tortle_hashedpass="$(uci get tortle.hashedpass)"	# * customizable
+	tortle_gateway="$(uci get tortle.gateway)"		# * customizable
+	tortle_version="$(uci get tortle.version)"

 	if [ -e "$tortle_hiddendir/hostname" ]; then
 		tortle_hostname="$(cat $tortle_hiddendir/hostname)"
@ -42,67 +68,132 @@ function tortlecfg {
 	fi
 }

-# Parameters to configure for torshell: tortle.tport, tortle.lport
-# Parameters to configure for TOR Gateway: tortle.forwarding, tortle.dnsport
-# Parameters in dobt: tortle.socksip, tortle.socksport, tortle.controlport, etc...
-# Maybe allow to configure extra hidden services such a web server, etc... Probably should be done in additional auxiliary modules.
 function configure {
 tortlecfg

-  dialog --title "TORtle" --msgbox "\n\
-NOTE: This is an initial version.\n\\n\
+dialog --ok-label "Submit" \
+    --help-button \
+    --title "TORtle Configuration" \
+    --form "Gateway + TOR Hidden Service configuration\n\n\
+TORGateway, if enabled, automatically and conveniently tunnels ALL eth0 traffic through TOR Transparent Proxy.\n\n\
+Onion Host sets up a hidden service inside the TOR network. By default it is a TORShell (SSH within TOR)\n\n\
+TOR Proxy is just the regular SOCKS proxy through TOR.\n\
+Forwarding enables/disables LAN Turtle IP forwarding to help prevent leaks for Proxy mode.\n \n" 26 60 7\
+        "Onion Host Enable:       ($tortle_hostname)"	1 1     "$tortle_enablehidden"  1 20 5 0 \
+	"    External Port:"	2 1	"$tortle_tport"   	2 20 5 0 \
+    	"       Local Port:"	3 1	"$tortle_lport"		3 20 5 0 \
+	"TOR Proxy  Enable:"   4 1     "$tortle_enableproxy"   4 20 5 0 \
+	"TransProxy Enable:"	5 1	"$tortle_enabletrans"	5 20 5 0 \
+	"TORGateway Enable:" 	6 1	"$tortle_gateway"	6 20 5 0 \
+	"Forwarding Enable:"   7 1     "$tortle_forwarding"    7 20 5 0 \
+  2>$CONF
+
+  return=$?
+
+  case $return in
+    $DIALOG_OK)
+      cat $CONF | { 
+	read -r tortle_enablehidden
+        read -r tortle_tport
+        read -r tortle_lport
+	read -r tortle_enableproxy
+	read -r tortle_enabletrans
+	read -r tortle_gateway
+	read -r tortle_forwarding
+
+	uci set tortle.enablehidden="$tortle_enablehidden"
+	uci set tortle.tport="$tortle_tport"
+        uci set tortle.lport="$tortle_lport"
+        uci set tortle.enableproxy="$tortle_enableproxy"
+        uci set tortle.enabletrans="$tortle_enabletrans"
+	uci set tortle.gateway="$tortle_gateway"
+	uci set tortle.forwarding="$tortle_forwarding"
+        uci commit tortle
+        rm $CONF
+      };;
+    $DIALOG_CANCEL)
+      rm $CONF
+      clear
+      exit;;
+    $DIALOG_HELP)
+      dialog --title "Help" \
+        --msgbox "\
+                     TORtle V$tortle_version\n\n\
 TOR SHELL\n\
 =========\n\
-Until I finish testing and decide which parameters to customize in the gui, these are the defaults:\n\n\
 Hostname: $tortle_hostname\n\
-TOR Port: $tortle_tport (Redirected to localhost:$tortle_lport)\n\n\
-
+TOR Port: $tortle_tport (Redirected to localhost:$tortle_lport)\n\
+\n
 TOR GATEWAY\n\
 ===========\n\
-At this time, it is just a regular TOR Proxy but my plan is to evolve it into a much more convenient and secure fully isolating Gateway.\n\n
-The LAN Turtle (with its two ethernet interfaces) is clearly perfect for that purpose, although I have to figure the best way to do it without 
-affecting the functionality of other modules/services that may be running at the same time (some iptables playing needed too).\n\n\
-In the meantime, please notice that DNS or other well known leaks are NOT being actively prevented. Use it accordingly.\n\n\
-TOR Proxy is in $tortle_socksip:$tortle_socksport\n \n" 33 72
+TOR Proxy is at $tortle_socksip:$tortle_socksport\n\
+TOR Transport is at $tortle_socksip:$tortle_transport\n\
+TOR Dnsport is $tortle_dnsport\n\
+\n\n\n\
+For support, please use the LAN Turtle forum at:\n\n\
+https://forums.hak5.org/index.php?/forum/88-lan-turtle/\n\n\
+I need YOUR feedback to help me improve TORtle!\n\n\
+                                        - Shad.\n" 27 60
+      configure
+      ;;
+    $DIALOG_ESC)
+      clear;;
+  esac
 }

-
 function start {
 	tortlecfg
 	if [ ! -e "/usr/sbin/tor" ]; then
 		opkg update && opkg install tor
 	fi
 	if [ ! -e "/var/lib/tor" ]; then
-		mkdir -p /var/lib/tor
-		chown sshd.sshd /var/lib/tor
-		mkdir -p $tortle_hiddendir
+		(
+		mkdir -p /var/lib/tor 
+		chown sshd.sshd /var/lib/tor 
+		mkdir -p $tortle_hiddendir 
 		chown sshd.sshd $tortle_hiddendir
+		) 2> /dev/null
 	fi
 	if [ ! -e "$tortle_hiddendir" ]; then
-		mkdir -p $tortle_hiddendir                                                                                                    
+		(
+		mkdir -p $tortle_hiddendir
 		chown sshd.sshd $tortle_hiddendir          	
+		) 2> /dev/null
 	fi

 	(
 	echo "User sshd"
 	echo "RunAsDaemon 1"
-	echo "PidFile /tmp/run/tor.pid"
+	echo "PidFile /var/run/tor.pid"
 	echo "DataDirectory /var/lib/tor"
-	echo "SocksPort $tortle_socksip:$tortle_socksport"
-	echo "HiddenServiceDir $tortle_hiddendir"
-	echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport"
-	echo "VirtualAddrNetworkIPv4 10.192.0.0/10"
-	echo "AutomapHostsOnResolve 1"
-	echo "TransPort 9040"
-	echo "TransListenAddress $tortle_socksip"
-	echo "DNSPort 9053"
-	echo "DNSListenAddress $tortle_socksip"
+	if [ "$tortle_enableproxy" == "1" ]; then
+		echo "SocksPort $tortle_socksip:$tortle_socksport"
+	fi
+	if [ "$tortle_enablehidden" == "1" ]; then
+		echo "HiddenServiceDir $tortle_hiddendir"
+		echo "HiddenServicePort $tortle_tport 127.0.0.1:$tortle_lport"
+	fi
+	if [ "$tortle_enabletrans" == "1" ]; then
+		echo "VirtualAddrNetworkIPv4 10.192.0.0/10"
+		echo "AutomapHostsOnResolve 1"
+		echo "TransPort $tortle_transport"
+		echo "TransListenAddress $tortle_socksip"
+		echo "DNSPort $tortle_dnsport"
+		echo "DNSListenAddress $tortle_socksip"
+	fi
+	if [ "$tortle_enablecontrol" == "1" ]; then
+		echo "ControlListenAddress $tortle_controladdr"
+		echo "ControlPort $tortle_controlport"
+		echo "HashedControlPassword $tortle_hashedpass"
+	fi
 	) > /tmp/tortlerc
 	tor -f /tmp/tortlerc
-	if [ "$tortle_forwarding" == "0" ]; then
-		iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 9053
-		iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDIRECT --to-port 9040
-		iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 9053
+	if [ "$tortle_gateway" == "1" ]; then
+		iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port $tortle_dnsport
+		iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port $tortle_dnsport
+		iptables -t nat -A PREROUTING -i br-lan -p tcp --dest $tortle_socksip -j ACCEPT
+		# Should I add here a rule to allow reaching eth1 network? Perhaps... but is it secure?
+		iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDIRECT --to-port $tortle_transport
 	fi
 	echo "$tortle_forwarding" > /proc/sys/net/ipv4/ip_forward

@ -110,15 +201,18 @@ function start {


 function stop {
+	tortlecfg
 	killall -9 tor
-	if [ "$(uci get tortle.forwarding)" == "0" ]; then
-		echo "1" > /proc/sys/net/ipv4/ip_forward
-		iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port 9053
-		iptables -t nat -D PREROUTING -i br-lan -p tcp -j REDIRECT --to-port 9040           
-		iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 9053
-#		iptables -t nat -D PREROUTING 1
-	fi
-	echo "Tortle Proxy and Tortle Shell have been stopped."
+#	if [ "$tortle_gateway" == "1" ]; then
+	(
+		iptables -t nat -D PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port $tortle_dnsport
+		iptables -t nat -D PREROUTING -i br-lan -p tcp --dport 53 -j REDIRECT --to-port $tortle_dnsport
+		iptables -t nat -D PREROUTING -i br-lan -p tcp --dest $tortle_socksip -j ACCEPT
+		iptables -t nat -D PREROUTING -i br-lan -p tcp -j REDIRECT --to-port $tortle_transport
+	) 2> /dev/null
+#	fi
+	echo "1" > /proc/sys/net/ipv4/ip_forward
+	echo "All TORtle services and redirections have been disabled."
 }


@ -129,4 +223,3 @@ function status {
 		echo "0"
 	fi
 }
-