From TorK

The TorK project offers a CD that allows you to use TorK on any computer.

For information on how to download the CD, see TorK LiveCD.

Please note that the CD is still under development, so the downloadable CD may lag behind the document described below.

The rest of this document shows you how the CD was created. It is based on the remastering howto available at knoppix.net.

(Note: commands should appear on one line, so please maximize the window. If you have any comments/suggestions please post below.)

Overview

Creating a Live CD involves the following steps:

• Copying various portions of the CD to two separate folders on a hard drive.
• Modifying the copied contents to suit your purposes.
• Rolling your modified contents into a new disk image and writing the image to a CD.

It is a time-consuming process and you may encounter weird errors. These generally occur when you've missed a step!

Various bits and pieces I used when creating my own live cd are available at http://tork.sourceforge.net/livecd/.

Suggestions:

• When completing the 'Setting Up For Re-Mastering' section work directly from a fully bootted KNOPPIX session.
• For the 'Installation' section, boot fully into KNOPPIX again and follow the procedure described in 'Setting up the KDE Workspace'. This will give you a working text console environment.
• Any operation that involves editing files in the KNOPPIX source or master directories, such as most of the stuff in 'Adding Tor Branding' can be done from your normal installed OS. You just have to be root.
• I recommend doing the final creation of the iso image in your installed OS.
• Make sure you have the latest version of cloop-utils installed on your OS.

System Requirements

• CD-ISO
  • at least 1 GB of FREE RAM+Swap total (e.g. 256M ram, and 750M swap AVAILABLE) (unless you use a different compression program - look in this page for compressloop)
  • 3 GB free on a Linux filesystem (ext2/3, xfs, etc.) formatted disk partition
• DVD-ISO
  • 5 GB free RAM + swap (for fullsized DVD)
  • 15 GB free on a Linux filesystem (ext2/3, xfs, etc.) formatted disk partition

Instructions

Setting up the Remastering Environment

In this section we copy all the files we need from the KNOPPIX LiveCD to a hard drive. One set of files goes in a 'master' directory - the bare bones of the eventual CD image. The other set of files goes in a 'source' directory - this is the OS instance which we need to configure and install stuff to.

1. Boot from the Knoppix CD
2. Open a root shell:
   • Menu: Kmenu->Knoppix->Root Shell
   • Or enter 'su' in a konsole session.
   • Note: All commands below are run from this root shell.

1. Configure your Internet connection (we'll need this later). If you use DHCP, it should already be configured.
   • Note: Run ifconfig to check.
2. Find the partition you will use to work on. In this example it is called hda1 . The partition should have a minimum of 3 GB free space
3. Mount the partition:

   • mount -rw /dev/hda1 /mnt/hda1

   • Note: Make sure that it is read/write or you will get errors when you later chroot. To check: run mount
4. Create a root directory to work in -- if you put all your files here it will be easy to clean up

   • mkdir /mnt/hda1/knx

5. If you don't have 1 GB RAM (egrep "(MemTotal|SwapTotal)" /proc/meminfo (physical+swap)) then you will need a swapfile:

   • cd /mnt/hda1/knx
     dd if=/dev/zero of=swapfile bs=1M count=750
     mkswap swapfile
     swapon swapfile

6. Make 2 directories, one for your new Master CD, one for the source, on a disk partition. Also, make additional directories under these named KNOPPIX:

   • mkdir -p /mnt/hda1/knx/master/KNOPPIX
     mkdir -p /mnt/hda1/knx/source/KNOPPIX

7. Now, copy the KNOPPIX files to your source directory :

   • cp -Rp /KNOPPIX/* /mnt/hda1/knx/source/KNOPPIX

   • Note: This will take a long time (you are copying 2GB). Warning: you will be tempted to replace this copy command with a much faster procedure: create an empty directory, then use unionfs to merge the empty directory with /KNOPPIX in order to create the read-write copy. However, as of Knoppix 4.0.2, there is a bug in unionfs that causes this faster procedure to fail. For now, stick with the copy-command shown above.
8. Additionally, copy the 'boot' folder from your cdrom - you'll need these files to build the ISO later.

   • cp -ar /cdrom/boot /mnt/hda1/knx/master/boot

9. For Knoppix 5.0.1 you also have to copy the 'modules' folder:

   • cp -ar /cdrom/KNOPPIX/modules /mnt/hda1/knx/master/KNOPPIX/.

10. Copy the main HTML page for the startup page:

    • cp /cdrom/index.html /mnt/hda1/knx/master/

11. Copy everything necessary files except the ~700 Mb KNOPPIX file.
    • < 3.4:

      • cd /cdrom/KNOPPIX && find . -size -10000k -type f -exec cp -p --parents '{}' /mnt/hda1/knx/master/KNOPPIX/ \;

    • >= 3.4:

      • cd /cdrom && find . -size -10000k -type f -exec cp -p --parents '{}' /mnt/hda1/knx/master/ \;

    • for the DVD Version you have to use -size -15000k and copy the KNOPPIX2 folder like this
      • cp /cdrom/KNOPPIX/KNOPPIX2 /mnt/hda1/knx/master/KNOPPIX/
12. setup the environment for chroot
    • mount --bind /dev /mnt/hda1/knx/source/KNOPPIX/dev
    • mount --bind /proc /mnt/hda1/knx/source/KNOPPIX/proc
13. Now you can "chroot" into the copied KNOPPIX:

    • chroot /mnt/hda1/knx/source/KNOPPIX

14. If you see errors regarding /dev/null, see the common problems section

You are now chrooted. "/" is actually "/mnt/hda1/knx/source/KNOPPIX"

Installing Software

Remember that anything you do or create in the chrooted environment will get burned to the CD. If you make any changes (e.g,. to the APT configuration, proxy settings, etc.), make a note to back the changes out before remastering.

Internet Access

To use the Internet you need to edit /etc/resolv.conf to add your nameserver or exit the chroot and copy the outer resolv.conf into the chroot folder:

cp /etc/dhcpc/resolv.conf /mnt/hda1/knx/source/KNOPPIX/etc/dhcpc/resolv.conf

(proxies (a.k.a. doing it at work): you can type "export http_proxy=http://your.proxy.com:<port>")
To check your chrooted internet connection,

ping google.com

(if ICMP is barred at some corporate firewall or something then try "lynx http://www.google.com" and see if you get the page -after a cookie "allow")

Installing Tor

Add the following lines to the top of /etc/apt/sources.list:

 deb     http://mirror.noreply.org/pub/tor sarge main
 deb-src http://mirror.noreply.org/pub/tor sarge main
 deb     http://mirror.noreply.org/pub/tor experimental-0.1.2.x-sarge main
 deb-src http://mirror.noreply.org/pub/tor experimental-0.1.2.x-sarge main

Then do:

 apt-get update
 apt-get install mixminion
 apt-get install tor

To open the ControlPort on Tor:

 vi /mnt/hda1/knx/source/KNOPPIX/etc/tor/torrc

and uncomment the line with 'ControlPort 9051' in it.

Installing Privoxy

First install:

 apt-get install privoxy

Then copy the following into /mnt/hda1/knx/source/KNOPPIX/etc/privoxy/config:

 forward-socks4a             /     127.0.0.1:9050 .
 forward         192.168.*.*/     .
 forward            10.*.*.*/     .
 forward           127.*.*.*/     .
 forwarded-connect-retries  0
 user-manual /usr/share/doc/privoxy/user-manual
 confdir /etc/privoxy
 logdir /var/log/privoxy
 actionsfile standard  # Internal purpose, recommended
 actionsfile global    # Global default setting for all sites
 actionsfile default   # Main actions file
 actionsfile user      # User customizations
 filterfile default.filter
 logfile logfile
 debug   1    # show each GET/POST/CONNECT request
 debug   4096 # Startup banner and warnings
 debug   8192 # Errors - *we highly recommended enabling this*
 listen-address  127.0.0.1:8118
 toggle  1
 enable-remote-toggle  0
 enable-remote-http-toggle  1
 enable-edit-actions 0
 buffer-limit 4096

If you know of an alternative, better configuration please add it below rather than overwriting the one above.

Installing TorK

First do:

 apt-get install libkonq-dev

This will install all the required development packages for compiling TorK.

Now do:

 cd /home/
 mkdir torkcvs
 cd torkcvs
 cvs -z3 -d:pserver:anonymous@tork.cvs.sourceforge.net:/cvsroot/tork co -P tork
 cd tork
 make -f Makefile.cvs
 ./configure --prefix= /usr/local/
 make
 make install

Remove Unnecessary Packages

apt-get remove --purge name-of-package-to-remove

Below is my shortlist of packages to remove (preceded by uncompressed size in bytes). I'm sure a better analysis can be done. The criteria I used were: large, not strictly necessary, a game. If anyone would like to review the full list and suggest additional packages, please add them to the list at the end of this sub-section.

apt-get remove --purge audacity
apt-get remove --purge bacula-client
apt-get remove --purge bacula-common
apt-get remove --purge bacula-console
apt-get remove --purge bacula-fd
apt-get remove --purge frozen-bubble
apt-get remove --purge frozen-bubble-data
apt-get remove --purge gimp
apt-get remove --purge gimp-data
apt-get remove --purge gimp-print
apt-get remove --purge gnuchess
apt-get remove --purge icewm
apt-get remove --purge icewm-common
apt-get remove --purge k3b
apt-get remove --purge k3b-defaults
apt-get remove --purge k3b-i18n
apt-get remove --purge kaffeine
apt-get remove --purge kbattleship
apt-get remove --purge kde-i18n-es
apt-get remove --purge kde-i18n-fr
apt-get remove --purge kde-i18n-it
apt-get remove --purge kde-i18n-ja
apt-get remove --purge kde-i18n-nl
apt-get remove --purge kde-i18n-pl
apt-get remove --purge kde-i18n-ru
apt-get remove --purge kde-i18n-tr
apt-get remove --purge khexedit
apt-get remove --purge kiconedit
apt-get remove --purge kmahjongg
apt-get remove --purge kolourpaint
apt-get remove --purge kreversi
apt-get remove --purge ksokoban
apt-get remove --purge ksudoku
apt-get remove --purge kteatime
apt-get remove --purge mysql-client
apt-get remove --purge mysql-client-5.0
apt-get remove --purge mysql-common
apt-get remove --purge mysql-server
apt-get remove --purge mysql-server-5.0
apt-get remove --purge nessus
apt-get remove --purge nessus-plugins
apt-get remove --purge nessusd
apt-get remove --purge openoffice.org-debian-menus
apt-get remove --purge scribus
apt-get remove --purge scribus-doc-de
apt-get remove --purge scribus-doc-en
apt-get remove --purge startnessus-knoppix
apt-get remove --purge xbattle
apt-get remove --purge xboard
apt-get remove --purge xboing
apt-get remove --purge xgalaga
apt-get remove --purge xmms
apt-get remove --purge xmms-cdread
apt-get remove --purge xmms-goom
apt-get remove --purge xmms-modplug
apt-get remove --purge xmms-volnorm
apt-get remove --purge open-office
apt-get remove --purge katomic
apt-get remove --purge xaos
apt-get remove --purge fluxbox
apt-get remove --purge kooka
apt-get remove --purge wine
apt-get remove --purge digikam
apt-get remove --purge kpackage
apt-get remove --purge synaptic
apt-get remove --purge thunderbird

It would also be nice to remove:

apt-get remove --purge sun-j2se1.4-jdk-binary
apt-get remove --purge sun-j2se1.4-jre-binary

But I haven't tried it yet.

Additional packages suggested for removal:

APT

To view installed packages in ascending order of size, do:

dpkg-query -W --showformat='${Installed-Size} ${Package} ${Status}\n' | grep -v deinstall | sort -n | awk '{print $1" "$2}'

Openoffice is probably top of the list. I removed it by doing:

apt-get remove --purge name-of-package-to-remove

Then I did the following to clean up:

COLUMNS=200 dpkg -l |grep ^rc |awk '{print $2} ' | xargs dpkg -P

Also, because the Debian package system keeps a cache of downloaded packages, you may want to run the following to clear out those spare files:

apt-get clean

Notes on APT

Update your package list with apt-get update.

Note: If 'apt-get update fails with "FATAL -> Could not set non-blocking flag Bad file descriptor", you need to make sure your chrooted environment is mounted without the "nodev" option. (see above where it talks about the /dev/null errors when entering the chroot environment for the first time)

Warning: apt-get upgrade is a BAD IDEA. It will, quite probably, render your KNOPPIX remaster unbootable, or broken in some way. A far safer method is to only upgrade packages as necessary.

Note: If apt-get fails with "Dynamic NMap ran out of room" you might try this little gem, which fixed the problem for me:

#echo 'APT::Cache-Limit "25168524";'>> /etc/apt/apt.conf

(I did this while chrooted as described above.)

Before you can add stuff, you will probably need to remove some packages. To get a list of packages installed, type this:

dpkg-query -l

If you are looking for big installed packages then the command

dpkg-awk "Status: .* installed$" -- Package Installed-Size | \
  awk '{print $2}' | egrep -v '^$' | xargs -n2 echo | \
  perl -pe 's/(\S+)\s(\S+)/$2 $1/' | sort -rg

will list the packages with size in descending order.

At least ten times faster is the command

dpkg-query -W --showformat='${Installed-Size} ${Package}\n' | sort -n

and you don't need dpkg-awk or awk or perl; however it does not exclude packages that are not installed. If you have trouble with the above sort command, try using KPackage, expanded all the trees and sorted by the size column to find big packages.

Or, you could use this command to get the qpkg-query speed with the non-installed packages not listed:

dpkg-query -W --showformat='${Installed-Size} ${Package} ${Status}\n' | grep -v deinstall | sort -n | awk '{print $1" "$2}'

It does the same thing as above, I assume. I couldn't get the first one to work because I don't have dpkg-awk.

To remove a package (and all packages dependant on it), type this:

apt-get remove --purge name-of-package-to-remove

To check for orphaned packages, type this:

deborphan

Want to save more space by getting rid of those pesky orphans (how cruel!), type this (Warning, you won't be prompted yes/no to remove these packages. When you press Enter after this command, those packages will be gone):

deborphan | xargs apt-get -y remove

If you're uncertain about the previous command and want to see what will happen without making any changes, just add the -s option to the apt-get command like this (you can do this with all of the apt-get commands, and it's a good habit to use this option before mass operations like this one):

deborphan | xargs apt-get -s -y remove

Now the good stuff. If you wish to add a package, type this:

apt-get install 'name-of-package-to-install

What, don't know what packages to install? Type this. When the list appears, you can peruse (over 13k lines!) or search for things using /search-term:

apt-cache search .* | sort | less

When you're done removing and adding packages, a good way to clean up is by typing this

COLUMNS=200 dpkg -l |grep ^rc |awk '{print $2} ' | xargs dpkg -P

Also, because the Debian package system keeps a cache of downloaded packages, you may want to run the following to clear out those spare files:

apt-get clean

Security Measures

The following measures are proposed/required to harden the security of the LiveCD.

Make /bin/netstat SUID root!

Why do we want to do this? It allows TorK to monitor all active network connections on the machine. Doing such a thing on your home computer might not be appropriate in all situations, but for a LiveCD it seems reasonable. Please correct me if this opens up the user to some howling exploit.

chmod u+s /bin/netstat

Disable swap access

By default, Knoppix will enable and use any swapfiles it finds on a computer's disk. This could leave traces of a LiveCD user's activity on the host computer.

To disable this behaviour do the following:

vi /mnt/hda1/knx/source/KNOPPIX/etc/init.d/knoppix-autoconfig

And change:

NOSWAP=""
checkbootparam "noswap" && NOSWAP="yes"

to:

# Disable swap for Tor LiveCD
NOSWAP="yes"
#checkbootparam "noswap" && NOSWAP="yes"

Adding Tor Branding to the LiveCD

While you are in the chroot environment you can easily change the boot messages, the boot graphic, and the default KDE background graphic.

Changing the boot graphic

The 'boot graphic' is the first image you see when the CD or DVD boots. It looks similar to ASCII art and it is normally something flashy that says 'Knoppix'. You can change this to be any graphic that you please, but you must use a 640x400 graphic that has only 16 colors.

You can either copy this file to:

 /mnt/hda1/knx/master/boot/isolinux/

or follow these instruction to create your own logo:

1. Change to the /mnt/hda1/knx/master/boot directory. Swap '/mnt/hda1/' for whatever disk you are using.

   • cd /mnt/hda1/knx/master/boot/isolinux

2. Back up your old logo in case you break things.

   • mv logo.16 logo.16.backup

3. Make a 640x400 pixel 16 color graphic and save it as a GIF, e.g. 'logo.16.gif'. GIMP can easily do this. Note, you can use a graphic that originally had more than 16 colors, but it is critical that you conver the graphic to 16 colors before doing the next step.
4. Convert the GIF to lss16 using the tools included on the Knoppix CD.

   • giftopnm < 640x400x16.gif > logo.ppm
     ppmtolss16 <logo.ppm > logo.16

Changing the boot message

The 'boot message' is the message that you see under the 'boot graphic' on the initial screen when the Knoppix CD or DVD loads. It normally says something along the lines of Knoppix with the version number and includes a link to the Knoppix website. You can change this text to be whatever you please, but you shouldn't add too much text or it will make the boot screen look funny. Restricting yourself to a singly line of text that is no larger than the default one is a good idea.

1. Change to the /mnt/hda1/knx/master/boot directory. Swap '/mnt/hda1/' for whatever disk you are using.

   • cd /mnt/hda1/knx/master/boot

2. Back up your old message in case you break things.

   • cp boot.msg boot.msg.backup

3. Edit the message with a text editor. You'll see at the top of the message that it shows the graphic. Don't change this text, just the line under.

   • vi boot.msg

Changing the startup script text

The 'startup script text' is the text that you see after the initial boot screen, while Knoppix loads and configures your system. You can change as much of this text as you please. You can even add addition lines to the script; however, it is recommended that you don't play with this file. Limiting yourself to editing the 'Welcome to KNOPPIX' message is a good idea.

1. Change to the /mnt/hda1/knx/master/boot directory. Swap '/mnt/hda1/' for whatever disk you are using.

   • cd /mnt/hda1/knx/master/boot

2. Back up your old minirt.gz in case you break things.

   • cp minirt.gz minirt.gz.backup

3. Uncompress minirt.gz

   • gunzip minirt.gz

4. Make a temporary directory to mount the minirt filesystem.

   • mkdir todelete

5. Mount the minirt filesystem as an ext2 filesystem.

   • mount minirt todelete -t ext2 -o=/dev/loop0

6. Edit the linuxrc script to display the message you want. You'll find the default message approximately 2 pages down and it'll be using several colors, i.e. ${WHITE}, ${RED}, etc., so it might be slightly tricky to spot.

   • vi todelete/linuxrc

7. unmount the minirt filesystem.

   • umount todelete

8. Compress the minirt filesystem.

   • gzip -9 minirt

9. Remove your temporary directory.

   • rmdir todelete

Add Tor Branding to the KDE Splash Screen

The splash graphics are in the /mnt/hda1/knx/source/KNOPPIX/usr/share/apps/ksplash/Themes/Default/.

You need to replace splash_top.png with a custom 400x248 PNG graphic.

You can use this one if you want.

Changing the default KDE Menu Graphic

Copy a new image 340x24 image to:

/mnt/hda1/knx/source/KNOPPIX/usr/share/apps/kicker/pics/kside.png

You can use this image.

Changing the default KDE background image

The auto-configuration script sets the default KDE background image to be an image from the CD-ROM. An image that you can easily change when you are remastering KNOPPIX.

• • In KNOPPIX 3.3 and below it is /cdrom/KNOPPIX/background.gif
  • In KNOPPIX 3.4 and above it is /cdrom/KNOPPIX/background.jpg

Copy your image to:

 /mnt/sda1/knx/master/KNOPPIX/background.jpg

You can use this image here if you wish.

Modifying/Disabling the startup sound

The startup sound is played by /etc/X11/Xsession.d/45xsession. You can disable it by commenting out the following lines.

playsound(){ 
# Play sound if soundcore module present (checking /dev/sndstat is unreliable)
# OGGPLAY=/usr/bin/ogg123
# PLAY=/usr/bin/wavp
# [ -x "$PLAY" ] || PLAY=/usr/bin/play-sample
# [ -x "$PLAY" ] || PLAY=/usr/bin/play
# if [ -x "$OGGPLAY" -a -f /usr/share/sounds/startup.ogg ]; then
# case "$(lsmod)" in *sound*) { $OGGPLAY -q -p 64 /usr/share/sounds/startup.ogg >/
# elif [ -f /usr/share/sounds/startup.wav -a -x "$PLAY" ]; then
# case "$(lsmod)" in *sound*) { $PLAY /usr/share/sounds/startup.wav >/dev/null 2>&
# fi
}

Modifying/Disabling the shutdown sound

The shutdown sound is played by /etc/init.d/xsession. You can disable it by commenting out lines 210-220 from the script.

## Play informational sound if soundcore module present
## (checking /dev/sndstat is unreliable)
#OGGPLAY=/usr/bin/ogg123
#PLAY=/usr/bin/wavp
#[ -x "$PLAY" ] || PLAY=/usr/bin/play-sample
#[ -x "$PLAY" ] || PLAY=/usr/bin/play
#if [ -x "$OGGPLAY" -a -f /usr/share/sounds/shutdown.ogg ]; then
#case "$(</proc/modules)" in *sound*|*snd_*) { $OGGPLAY -q -p 64 /usr/share/sound
#elif [ -f /usr/share/sounds/shutdown.wav -a -x "$PLAY" ]; then
#case "$(</proc/modules)" in *sound*|*snd_*) { $PLAY /usr/share/sounds/shutdown.w
#fi

Configuring User Applications and the User Workspace.

Boot a normal KNOPPIX CD all the way and open a Root Shell (Knoppix->Root Shell).

1. Leave the X session by typing:

   • init 2

2. Mount the partition with the knoppix sources on it:

   • mount -rw /dev/hda1 /mnt/hda1

3. Copy over your X11 configuration to the chroot'd environment :

   • cp /etc/X11/xorg.conf /mnt/hda1/knx/source/KNOPPIX/etc/X11

4. Bind the kernel directories to the chroot'd environment:

   • mount --bind /dev /mnt/hda1/knx/source/KNOPPIX/dev

   • mount --bind /proc /mnt/hda1/knx/source/KNOPPIX/proc

   • mount --bind /sys /mnt/hda1/knx/source/KNOPPIX/sys

5. Enter the chroot'd environment:

   • chroot /mnt/hda1/knx/source/KNOPPIX/

6. Start Tor and Privoxy:

   • /etc/init.d/tor start

   • /etc/init.d/privoxy start

7. Copy /etc/skel to /home/knoppix

   • cp -Rp /etc/skel /home/knoppix

8. Make the tmp directory accessible:

   • chmod -R 777 tmp

9. Change permissions to the user 'knoppix'

   • chown knoppix:knoppix -R /home/knoppix

10. Switch to user 'knoppix'.

    • su knoppix

11. Launch KDE

    • startx

KDE will launch, but the text will be in German. You can now perform the changes described in the rest of this section below. You can also start up TorK and connect it to Tor. To ensure that TorK starts up when the LiveCD boots, leave it running when you click 'Shutdown' and 'End Current Session'.

1. When you have closed the session, you will be back to the text console. Go back to root:

   • exit

2. Copy /home/knoppix back to /etc/skel to keep the changes

   • mv /etc/skel /etc/skel-old
     mv /home/knoppix /etc/skel

3. Set the owner back to root

   • chown root:root -R /etc/skel

4. Ensure the tork configuration file is readable by the new knoppix user:

   • chmod 644 /mnt/hda1/knx/source/KNOPPIX/etc/skel/.kde/share/config/torkrc

5. Remove the xorg.conf file

   • rm /etc/X11/xorg.conf

6. Unmount:

   • umount /dev; umount /proc; umount /sys

Press Ctrl+D to leave the chroot'd session.

Firewall Script

Type:

/etc/init.d/iptables save inactive

Run the following script:

#!/bin/bash

#Load modules
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

#Flush old
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Set policies
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

#Allow established sessions to continue
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow tor traffic to go through
iptables -A INPUT -p tcp --dport 9001 -j ACCEPT
iptables -A INPUT -p tcp --dport 9031 -j ACCEPT

iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
iptables -N Flood-Scan
iptables -A INPUT -p tcp -m tcp --syn -j Flood-Scan
iptables -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN
iptables -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: "
iptables -A Flood-Scan -j DROP
iptables -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT

Now type:

/etc/init.d/iptables save active

And then:

update-rc.d iptables defaults

Setting up Tork.

Copy the following into /mnt/hda1/knx/source/KNOPPIX/etc/skel/.kde/share/config/torkrc:

[MainWindow]
Height 768=642
Width 1024=752

[MainWindow Toolbar TorToolBar]
IconText=IconOnly
Index=1

[MainWindow Toolbar mainToolBar]
Index=0

[MyServer]
NickName=TorLiveCD

[Notification Messages]
LikeBack_starting_information=false

[RunningNormal]
User=knoppix

[TorKOSD Position]
Position=900,700
Screen=0

[UsedDirectly]
ApplySettingsToInstance=true
KonqFtpProxy=http://localhost
KonqFtpProxyPort=8118
PrivoxyLocation=/usr/sbin/privoxy
QuickConfigure=7
SystemProxy=true
TorLocation=/usr/sbin/tor
TorkProxy=false

Setting up Firefox.

While in KDE in the section above, you should set up firefox with the appropriate extensions.

Remove Plugins

rm -f /mnt/sda1/knx/source/KNOPPIX/usr/lib/mozilla/plugins/libjavaplugin.so
rm -f /mnt/sda1/knx/source/KNOPPIX/usr/lib/netscape/plugins-libc6/libjavaplugin.so
rm -f /mnt/sda1/knx/source/KNOPPIX/usr/lib/firefox/plugins/libjavaplugin.so
rm -f /mnt/sda1/knx/source/KNOPPIX/usr/lib/firefox/plugins/libunixprintplugin.so  
rm -f /mnt/sda1/knx/source/KNOPPIX/usr/lib/firefox/plugins/nphelix.so             
rm -f /mnt/sda1/knx/source/KNOPPIX/usr/lib/firefox/plugins/nphelix.xpt

rm -f /mnt/sda1/knx/source/KNOPPIX/usr/lib/firefox/searchplugins/*

Config Enforced By Tork

user_pref("network.proxy.ftp", "");
user_pref("network.proxy.ftp_port", 0);
user_pref("network.proxy.gopher", "");
user_pref("network.proxy.gopher_port", 0);
user_pref("network.proxy.http", "localhost");
user_pref("network.proxy.http_port", 8118);
user_pref("network.proxy.share_proxy_settings", true);
user_pref("network.proxy.ssl", "localhost");
user_pref("network.proxy.ssl_port", 8118);
user_pref("network.proxy.type", 1);
user_pref("javascript.enabled", false);
user_pref("pref.advanced.javascript.disable_button.advanced", false);
user_pref("security.enable_java", false);
user_pref("network.cookie.cookieBehavior", 2);
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 9050);
user_pref("network.proxy.socks_version", 5);
user_pref("network.proxy.socks_remote_dns", true);
user_pref("network.dns.disableIPv6", true);
user_pref("extensions.update.autoUpdateEnabled", false);
user_pref("extensions.update.autoUpdate",false);
user_pref("extensions.update.enabled",false);
user_pref("app.update.auto",false);
user_pref("app.update.enabled",false);
user_pref("browser.search.update",false);
user_pref("network.http.accept-encoding:gzip;q=0,deflate;q=0,compress;q=0",false);
user_pref("network.http.accept.default:text/xml,application/xml,   application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5);
user_pref("intl.accept_languages",en);
user_pref("intl.accept_charsets",ISO-8859-1,*);
user_pref("general.useragent.override",Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.7.10)  Gecko/20050716 Firefox/1.5.0.7);
user_pref("general.useragent.extra.firefox",Firefox/1.5.0.7);
user_pref("general.useragent.locale",en);

Add IRC Hidden Services to Kopete.

This will add two popular hidden service gateways to the Freenode and OFTC IRC networks to Kopete's configuration.

Create the file in /mnt/sda1/backup/knx/sources/KNOPPIX/etc/skel/.kde/share/config/kopeterc and populate it with:

[Account_IRCProtocol_37lnq2veifl4kar7.onion]
AccountId=37lnq2veifl4kar7.onion
AutoShowServerWindow=false
Codec=106
Color=255,255,0
ConnectCommands=
CustomCtcp=
ErrorMessages=1
ExcludeConnect=false
InformationReplies=1
NetworkName=OFTC (via Tor Hidden Service)
NickName=none
PasswordIsWrong=false
PreferSSL=false
Protocol=IRCProtocol
RealName=
RememberPassword=true
ServerMessages=2
ServerNotices=2
UserName=
altNick=
defaultPart=Kopete 0.12.4 : http://kopete.kde.org
defaultQuit=Kopete 0.12.4 : http://kopete.kde.org

[Account_IRCProtocol_mejokbp2brhw4omd.onion]
AccountId=mejokbp2brhw4omd.onion
AutoShowServerWindow=false
Codec=106
Color=0,0,255
ConnectCommands=
CustomCtcp=
ErrorMessages=1
ExcludeConnect=false
InformationReplies=1
NetworkName=Freenet (via Tor Hidden Service)
NickName=none
PasswordIsWrong=false
PreferSSL=false
Priority=1
Protocol=IRCProtocol
RealName=
RememberPassword=true
ServerMessages=2
ServerNotices=2
UserName=
altNick=
defaultPart=Kopete 0.12.4 : http://kopete.kde.org
defaultQuit=Kopete 0.12.4 : http://kopete.kde.org

[Away Messages]
AutoAwayMessage=
Messages=Sorry\\, I am busy right now,I am gone right now\\, but I will be back later

[EditGlobalIdentityBar Settings]
IconText=IconOnly
Index=2

[General Options]
Geometry=220,350
Height 1024=350
Position=0,23
State=Hidden
Width 1280=220

[General Options Toolbar editGlobalIdentityBar]
IconText=IconOnly
Index=2

[General Options Toolbar mainToolBar]
Index=0

[General Options Toolbar quickSearchBar]
IconText=IconOnly
Index=1

[QuickSearchBar Settings]
IconText=IconOnly
Index=1

[ToolBar Settings]
Index=0

Final Tweaks.

The Desktop Help File.

First download a copy of the Tor website and compile it:

cd workingdir
svn checkout https://tor-svn.freehaven.net/svn/website/trunk website
svn checkout https://tor-svn.freehaven.net/svn/tor/trunk tor-head
svn checkout https://tor-svn.freehaven.net/svn/tor/trunk tor-stable
cd website
make

(You will need a copy of wml for this to work. Go to http://thewml.org and get the latest release.)

Now copy the website directory to /mnt/hda1/knx/master/:

cp -R website /mnt/hda1/knx/master/

Now we will replace KNOPPIX's desktop link to the KNOPPIX help file with a link to our local copy of the Tor website. First:

 vi /mnt/hda1/knx/source/KNOPPIX/etc/X11/Xsession.d/45xsession

Now add the following c. line 180. You will be commenting and replacing text so be sure you are replacing the correct stuff:

#Tor LiveCD: Link to copy of Tor Website on Desktop
# Check for /index.html (_en), or KNOPPIX/index.html (_en) on this CD
#if [ -e /cdrom/website/index.html.en ]; then
INDEXFILE="/cdrom/website/index.html.en"
#else
#for i in index KNOPPIX/index; do
#INDEXFILEDE="/cdrom/${i}.html"
#INDEXFILEEN="/cdrom/${i}_en.html"
#[ -e "$INDEXFILEEN" ] && INDEXFILE="$INDEXFILEEN" && [ "$LANGUAGE" != "de" ] && break
#[ -e "$INDEXFILEDE" ] && INDEXFILE="$INDEXFILEDE" && [ "$LANGUAGE"  = "de" ] && break
#done
#fi

# Tor LiveCD: Change KNOPPIX help file to Tor specific one.
if [ -e "$INDEXFILE" ]; then
cat >> $HOME/Desktop/Tor.desktop <<EOF
[Desktop Entry]
Name=Tor
# Exec=kfmclient openProfile webbrowsing $INDEXFILE
Exec=konqueror --geometry 850x600+85+70 file:$INDEXFILE
Type=Application
Icon=html
Terminal=0
EOF
#Tor LiveCD: Commented Out
#ln $HOME/Desktop/KNOPPIX.desktop $HOME/.kde/Autostart/showindex.desktop
fi

The Credits File.

Add the credits file to the desktop by adding the following to /mnt/hda1/knx/source/KNOPPIX/etc/X11/Xsession.d/45xsession c. 180:

# Tor LiveCD: Added Tor Credits File
cat >> $HOME/Desktop/Credits.txt <<EOF
Tor by Roger Dingledine and Nick Mathewson (http://tor.eff.org)
Tor LiveCD based on KNOPPIX by Klaus Knopper (http://www.knopper.net)
Wallpaper by salahuddin pasha  (http://www.kde-look.org/content/show.php/Open+Source+Green?content=16355) 
LiveCD compiled by Robert Hogan (http://tork.sf.net/wiki/index.php/LiveCD)
TorK by Robert Hogan (http://tork.sf.net)
EOF

Leaving the Chroot

If you mounted it, you'll need to unmount /proc - very important!

umount /proc
umount /dev
umount /sys

Press CTRL+D to leave being chrooted.

Remastering the ISO

We've finished customizing and ready to burn! First do some cleanup:

• remove any .bash_history files, tmp files, etc.
• back out any changes you don't want burned back to the disc

• rm -rf /mnt/hda1/knx/source/KNOPPIX/.rr_moved

KNOPPIX Compressed Image

Now we'll make the big KNOPPIX file which is an ISO 9660 filesystem compressed for use by the cloop driver:

mkisofs -R -U -V "Tor filesystem" -publisher "KNOPPIX tor.eff.net" \
    -hide-rr-moved -cache-inodes -no-bak -pad /mnt/hda1/knx/source/KNOPPIX \
      | nice -5 /usr/bin/create_compressed_fs -B \
   65536 -f /mnt/hda1/isotemp - /mnt/hda1/knx/master/KNOPPIX/KNOPPIX

Live CD ISO

If all went well, onto making the final CD-ROM Image:

cd /mnt/hda1/knx/master
find -type f -not -name md5sums -not -name boot.cat -not -name isolinux.bin \
   -exec md5sum '{}' \; > KNOPPIX/md5sums

(this will update the md5 hashes of the files included in the ISO, used for integrity checking) Now to burn the image; for Knoppix <= 3.3:

mkisofs -pad -l -r -J -v -V "KNOPPIX" -b KNOPPIX/boot.img -c KNOPPIX/boot.cat \
   -hide-rr-moved -o /mnt/hda1/knx/knoppix.iso /mnt/hda1/knx/master

for Knoppix >= 3.4 or other isolinux based distributions:

mkisofs -pad -l -r -J -v -V "KNOPPIX" -no-emul-boot -boot-load-size 4 \
   -boot-info-table -b boot/isolinux/isolinux.bin -c boot/isolinux/boot.cat \
   -hide-rr-moved -o /mnt/hda1/knx/knoppix.iso /mnt/hda1/knx/master

(the ISO is stored in /mnt/hda1/knx/knoppix.iso)

Burn the ISO using your favorite tools, and you're ready!

Test CD Image Without Burning a CD

You can use Qemu ( see [1] ) to test your ISO image:

qemu -m 128 -cdrom /mnt/hda1/knx/knoppix.iso -boot d

Common Problems

• /dev/null: Permission Denied Chroot problems accessing device files

• You've startx'd (into whatever window manager you like) and you start a terminal (gnome-terminal, konsole, xterm). Nothing happens (such is the case in fluxbox, and you'll see an error in you ~/.xsession-errors file). Or perhaps the error is helpfully displayed:

 get_pty: not enough ptys

I had plenty yesterday... but then I chrooted so, to solve this,

 # NOT in your chroot environment
 cd /mnt/hda1/knx/source/KNOPPIX/dev
 MAKEDEV pty

 # enter your chroot environment
 chroot /mnt/hda1/knx/source/KNOPPIX/

 # and mount /dev/pts
 mount -t devpts /dev/pts/ /dev/pts

it might give that same "fstab not found" error as mounting proc does. so do what you'd do then, disregard.

start your X up again and try your terminal, should work. thanks to: technovelty[2] for the final enlightenment

See also

This HowTo is cannibalized from the Knoppix Remastering HowTo. Please refer to that document for much more detailed information and troubleshooting tips, as well as full acknowledgments.