From 436ef2192101681cf131e4455ce88cb0fce29f10 Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Wed, 7 Sep 2022 23:26:33 +0000
Subject: [PATCH] Syncthing - add script to open inbound ports on installation

---
 syncthing/in.sh | 307 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 307 insertions(+)
 create mode 100755 syncthing/in.sh

diff --git a/syncthing/in.sh b/syncthing/in.sh
new file mode 100755
index 0000000..6d1e71c
--- /dev/null
+++ b/syncthing/in.sh
@@ -0,0 +1,307 @@
+#!/usr/bin/bash
+
+get_help(){
+cat <<HERE
+Allow remote access to a named qube.
+
+Syntax: in.sh [-h | [ a|p ]] {add|delete} target {tcp|udp} {port number|service} [external port]
+options:
+h   Print this help
+a   Auto mode
+p   Permanent rules
+
+Specify target qube, action, tcp or udp, and target port, separated by spaces.
+The target port can be given by port number or by name (e.g ssh).
+The action should be "add" or "delete".
+For example:
+	in add target_qube tcp 80 
+	in add target_qube tcp ssh 
+	in delete target_qube tcp https 
+
+By default, the script will open a port on the final netvm which is the same as the target port.
+It is possible to specify an alternative port:
+	in add target_qube tcp ssh 80
+
+In auto mode a port will be opened on the FIRST external interface.
+In permanent mode changes to the firewall will be written in each qube to take effect on qube start up.
+
+DO NOT use this script for qubes behind a Tor or VPN proxy.
+At a minimum you risk breaking the security of those proxies.
+
+HERE
+exit
+}
+
+
+# Check input port
+check_port(){
+if ! [ "$2" -eq "$2" >& /dev/null ];then
+  status=1
+else
+	if [ $2 -lt 65536 ]; then
+		status=0
+		portnum=$2
+	else
+		status=1
+	fi
+fi
+if [ $status -ne 0 ]; then
+  if !  grep -q -w ^$2\  /etc/services  ; then
+    echo "Specify usable port number or service name"
+    exit
+  else
+    portnum=$( getent services $2 |awk '{split($2,a,"/");print a[1]}')
+    if [ $? -ne 0 ]; then
+      echo "Specify usable port number or service name"
+      exit
+		fi
+	fi
+fi
+echo $portnum
+}
+
+
+get_handle(){
+local my_handle=$( qvm-run -q -u root -p $1 " nft -a list table $2|awk 'BEGIN{c=0} /$3/{c++; if (c==$4) print \$NF}' " )
+echo $my_handle
+}
+
+
+#Tunnel through netvms
+tunnel(){
+declare -a my_netvms=("${!1}")
+declare -a my_ips=("${!2}")
+declare -i numhops
+numhops=${#my_ips[@]}
+lasthop=$((numhops-1))
+local i=1
+iface="eth0"
+qvm-run -q -u root ${my_netvms[$lasthop]} " nft list table nat|grep ' $proto dport $portnum dnat to ${my_ips[$numhops-1]}'"
+if [ $? -eq 0 ]; then
+	echo "Are rules already set?"
+	exit
+fi
+while [ $i -ne $numhops ]
+do
+	if [ $i -eq 1 ]; then
+		portnum_used=$external_portnum
+		portnum_target=$portnum
+	else
+		portnum_used=$external_portnum
+		portnum_target=$external_portnum
+	fi
+	echo "${my_netvms[$i]} $portnum_used"
+	if [ $i -eq $lasthop ]; then
+		iface=$external_iface
+	fi
+	# Is it nft or iptables?
+	local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null )
+	if [[ x$found == 'x' ]]; then
+		qvm-run -q -u root ${my_netvms[$i]} -- "iptables -I QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT"
+		qvm-run -q -u root ${my_netvms[$i]} -- "iptables -t nat -I PR-QBS-SERVICES -i $iface -p $proto --dport $portnum_used -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target"
+    if [ $permanent -eq 1 ]; then
+      qvm-run -q -u root ${my_netvms[$i]} -- "echo iptables -I QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT >> /rw/config/rc.local"
+      qvm-run -q -u root ${my_netvms[$i]} -- "echo iptables -t nat -I PR-QBS-SERVICES -i $iface -p $proto --dport $portnum_used -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
+    fi
+	else
+		qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target
+		qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept
+    if  [ $permanent -eq 1 ]; then
+      qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
+      qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept >> /rw/config/rc.local"
+    fi
+	fi
+	((i++))
+done
+}
+
+
+#Teardown - from top netvm down
+teardown(){
+declare -a my_netvms=("${!1}")
+declare -a my_ips=("${!2}")
+declare -i numhops
+numhops=${#my_ips[@]}
+numhops=$((numhops-1))
+local i=$numhops
+iface="eth0"
+echo "Removing firewall rules"
+while [ $i -gt 0 ]
+do
+  if [ $i -eq 1 ]; then
+    portnum_used=$external_portnum
+    portnum_target=$portnum
+  else
+    portnum_used=$external_portnum
+    portnum_target=$external_portnum
+  fi
+	# Is it nft or iptables?
+	echo "${my_netvms[$i]}"
+	local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- "nft list table nat 2>/dev/null" )
+ 	if [[ x$found == 'x' ]]; then
+		qvm-run -q -u root ${my_netvms[$i]} -- "iptables -D QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT"
+		qvm-run -q -u root ${my_netvms[$i]} -- "iptables -t nat -D PR-QBS-SERVICES -i $iface -p $proto --dport $external_portnum -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target"
+    if [ $permanent -eq 1 ]; then
+      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/iptables -D QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT/d' /rw/config/rc.local"
+      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/iptables -t nat -D PR-QBS-SERVICES -i $iface -p $proto --dport $external_portnum -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target/d' /rw/config/rc.local"
+    fi
+	else
+		local handle=$( get_handle ${my_netvms[$i]} nat "dport $external_portnum " 1 )
+		qvm-run -q  -u root ${my_netvms[$i]} -- "nft delete rule nat PR-QBS-SERVICES handle $handle"
+		local handle=$( get_handle ${my_netvms[$i]} filter "dport $external_portnum " 1 )
+		qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule filter QBS-FORWARD handle $handle"
+    if [ $permanent -eq 1 ]; then
+      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target/d'  /rw/config/rc.local"
+      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept/d'  /rw/config/rc.local"
+    fi
+	fi
+	((i--))
+done
+local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null )
+if [[ x$found == 'x' ]]; then
+	qvm-run -q -u root ${my_netvms[$i]} " iptables -D INPUT -p $proto --dport $external_portnum -j ACCEPT"
+else
+	handle=$( get_handle ${my_netvms[$i]} filter "dport $portnum " 1 )
+	qvm-run -q -u root ${my_netvms[$i]} -- nft delete rule filter INPUT handle $handle
+fi
+exit
+}
+
+
+list(){
+return
+}
+
+
+## Defaults
+auto=0
+permanent=0
+
+## Get options
+optstring=":hap"
+while getopts ${optstring} option ; do
+  case $option in
+    h) 
+      get_help
+      exit ;;
+    a)
+      auto=1 ;;
+    p)
+      permanent=1 ;;
+    ?)
+      get_help ;; 
+  esac
+done
+shift $((OPTIND -1))
+
+## Check inputs
+if [ $# -lt 4 ]; then
+	get_help
+fi
+qvm-check -q $2 2>/dev/null
+if [ "$?" -ne 0 ];then
+  echo "$2 is not the name of any qube"
+  exit
+else
+	qube_name=$2
+fi
+if [ "$3" != "tcp" -a "$3" != "udp" ]; then
+  echo "Specify tcp or udp"
+  exit
+else
+	proto=$3
+fi
+portnum=$(check_port $3 $4)
+
+if [ $# -eq 5 ]; then
+	external_portnum=$(check_port $3 $5)
+else
+	external_portnum=$portnum
+fi
+
+# Get all netvms
+declare -a netvms
+declare -a ips
+declare -a external_ips
+hop=0
+netvms[$hop]=$qube_name
+IFS='|' read -r netvms[$hop+1] ips[$hop] <<< $(qvm-ls $qube_name --raw-data -O netvm,IP)
+while [ ${netvms[hop+1]} != "-" ]
+do
+  ((hop++))
+  IFS='|' read -r netvms[$hop+1] ips[$hop] <<< $(qvm-ls ${netvms[$hop]} --raw-data -O netvm,IP)
+done
+if [ $1 == "delete" ]; then
+	teardown netvms[@] ips[@]
+elif [ $1 == "add" ]; then
+	if [ $hop -eq 0 ]; then
+		echo "$qube_name is not network connected"
+		echo "Cannot set up a tunnel"
+		exit
+	fi
+
+	# Check last hop has external IP address 
+	readarray -t external_ips < <( qvm-run -p ${netvms[$hop]} "ip -4 -o a|grep -wv 'lo\|vif[0-9]*.*'"|awk '{print $2,$4}')
+	#readarray -t external_ips < <( qvm-run -p ${netvms[$hop]} "ip -4 -o a|grep -wv 'vif[0-9]'"|awk '{print $2,$4}')
+	num_ifs=${#external_ips[@]}
+	if [ $num_ifs -eq 1 ]; then
+		interface=0
+	elif [ $auto -eq 1 ]; then
+		interface=0
+	elif [ $num_ifs -gt 1 ]; then
+		echo "${netvms[$hop]} has more than 1 external interface"
+		echo "Which one do you want to use?"
+		for i in $(seq $num_ifs)
+		do
+			echo "$i. ${external_ips[$i-1]}"
+		done
+		read interface
+		if ! [ "$interface" -eq "$interface" ] 2> /dev/null; then
+			echo "No such interface"
+			exit
+		elif [ $interface -gt $num_ifs ] || [ $interface -lt 1 ]; then
+			echo "No such interface"
+			exit
+		fi
+		((interface--))
+	else
+		echo "${netvms[$hop]} does not have an external interface"
+    echo "Cannot set up a tunnel"
+    exit
+	fi
+	external_ip=${external_ips[$interface]}
+	external_iface="${external_ip%[[:space:]]*}"
+	ip="${external_ip#*[0-9]}"
+	ip="${ip%%/*}"
+	ips[$hop]=$ip
+
+	# Create tunnel
+	found=$( qvm-run -p -q -u root $qube_name -- nft list table nat 2>/dev/null )
+ 	if [[ x$found == 'x' ]]; then
+		found=$(qvm-run -p -u root $qube_name "iptables -L -nv |grep -c '.*ACCEPT.*$proto dpt:$portnum' ")
+		if [ "$found" -gt 0 ]; then
+			echo "Input rule in $qube_name already exists"
+			echo "Please check configuration - exiting now."
+			exit
+		else
+			qvm-run -q -u root $qube_name  "iptables -I INPUT -p $proto --dport $portnum -j ACCEPT "
+		fi
+	else
+		qvm-run -q -u root $qube_name  "nft list table filter|grep '$proto dport $portnum accept' "
+		if [ $? -eq 0 ]; then
+			echo "Input rule in $qube_name already exists"
+			echo "Please check configuration - exiting now."
+			exit
+		else
+			handle=$( get_handle $qube_name filter related,established 1)
+			qvm-run -q -u root $qube_name -- nft add rule filter INPUT position $handle iifname eth0 $proto dport $portnum accept
+		fi
+	fi
+	tunnel netvms[@] ips[@]
+	if [ $? -ne 0 ]; then
+		teardown netvms[@] ips[@]
+	fi
+else
+	get_help
+fi
+