Thread: Tutorial Block Big Brother
View Single Post
Old 02-08-2013, 10:18 AM   #1
knc1
Embedded Cheerleader
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 5,807
Karma: 5722276
Join Date: Feb 2012
Device: Too many.
Block Big Brother

This thread is a continuation of managing the Kindle firewall at:
http://www.mobileread.com/forums/sho...d.php?t=205068

This thread is also based on materials in the following threads:
References:
The *nix command crib-sheet linked to from this thread: http://www.mobileread.com/forums/sho...d.php?t=204534
NOTE: The version of those commands provided by Busybox on the Kindle usually only have a limited sub-set of the command features described in the crib-sheet.
iptables report reading: http://www.mobileread.com/forums/sho...d.php?t=204676
Amazon-net-13039: http://www.mobileread.com/forums/sho...35&postcount=5
Packet flow chart and iptables tutoral: http://www.frozentux.net/iptables-tu...ERSINGOFTABLES

Release posts:
bbb-13038: Bottom of this post.
bbb-13039: http://www.mobileread.com/forums/sho...60&postcount=6
bbb-13040: http://www.mobileread.com/forums/sho...1&postcount=13
bbb-13042: http://www.mobileread.com/forums/sho...3&postcount=24

Public Repository:
http://hg.minimodding.com/repos/sys/kBBB.hg/

Conditions:
In the prior thread on the basics of ssh/scp on the Kindle, you learned how to remove the banner and do remote exectuted programs via ssh.
In the prior thread on the Linux firewall tables, you found there are no restrictions on the USB0 interface. Your also read about the restrictions present on packets originating on the wlan0 (and 3G) interfaces.

You made note of the sequence required to start/stop USBnetwork, from the spoiler in the USBnetworking thread, which is repeated in the spoiler here:
Spoiler:

Quote:
This order should work on all firmware versions.
Early firmwares, v-2 and v-3 may also work with the cable attached.

  • un-plug cable (if still plugged in)
  • toggle USBnetwork ON in launcher
  • plug the cable
  • kill any automation (or configure yours to do: )
  • sudo ip link set up dev usb0 (It may already be up)
  • sudo ip address add 192.168.15.201 peer 192.168.15.244 dev usb0
  • use the networking until your done (telnet ken1 OR ssh kpw)
  • un-plug cable
  • toggle USBnetwork OFF in launcher



You may or may not have configured your network automation to automatically bring up the link and set the point-to-point address that you are using on your host PC.
There are a number of network automation things used by the various Linux distributions, refer to your distribution information on how to set up yours (not here, your distro's help forum).
Windows and MacOSx also have provisions for automating the host connection setup.

Crank-up your USB networked Kindle (a Kpw-5.3.3 used here) and be sure things are still working the way we left them (connection details by nickname, no banner from dropbear):
Code:
core2quad ~ $ ssh kpw
#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  # 
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################
[root@kindle root]#
It LIVES!
You can leave that connection up for your own exploring during the rest of this post.

Someday, the BBB extension may have buttons, but for now, do this manually.
Even worse than that, doing it manually reveals some software bugs in the Amazon build of the iptables* utilities.
So what follows is not the way I would choose to do this, if I had a choice.

Create a home for the BBB extension iptable script(s) and the modified iptables rule-sets(s):
Code:
core2quad ~ $ ssh kpw "mkdir -p /mnt/us/extensions/bbb/config.d"
core2quad ~ $ ssh kpw "mkdir -p /mnt/us/extensions/bbb/frags"
core2quad ~ $ ssh kpw "ls -l /mnt/us/extensions/bbb"
drwxr-xr-x    2 root     root          8192 Feb  7 15:39 config.d
drwxr-xr-x    2 root     root          8192 Feb  7 15:40 frags
Move the added-BBB iptable file and the del-BBB script to their respective homes:
Code:
core2quad usb-0.7.N $ scp added-bbb-13038.txt kpw:/mnt/us/extensions/bbb/frags
added-bbb-13038.txt                           100% 1210     1.2KB/s   00:00    

core2quad usb-0.7.N $ scp del-bbb-13038.sh kpw:/mnt/us/extensions/bbb/config.d
del-bbb-13038.sh                              100%  741     0.7KB/s   00:00
The number in the names is: YYDDD of the file creation (version as it where).

Now run the iptables-restore utility on the Kindle to install the modified table rule-set:
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13038.txt"
Check our work, see what the output chain rules are now:
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 45 packets, 6024 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   696 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.1           
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
    0     0 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19
Now disable "airplane mode" and enable WiFi.
You don't need to do anything else, other than connect to Wifi, any Wifi.
Wait a few moments, and re-check the counters on the output chain again:
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 186 packets, 20334 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   696 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.1           
   73 11972 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
    8   544 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
   12   720 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    6   360 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    4   304 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19
Poor Chatty Kathy - she can't talk to Mama Amazon any longer.
If you open the 'store' now, after a long, long, long wait you should get a "We applogize, but something went wrong ..." message.
Yeah, buddy, and it is going to keep right on "going wrong".

BIG NOTE: This is the Kindle Paperwhite version 5.3.3 with the table from the 5.3.1 firmware!
Different version of the firmware may use different Amazon Cloud access addresses!

AN EVEN BIGGER NOTE: You must re-load the modified table **after** any system re-boot!

A little note: If you get the urge to hack the modified table on your own, your "recovery process" is to re-boot the Kindle. That will re-install the stock iptables rule-set.

To remove the "Big Brother Block" (BBB) :
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13038.sh"
Verify that the rules are gone now:
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 631 packets, 53736 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   696 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.1
Due to the technical difficulties with the build of the iptables-* utilities shipped by Amazon, the BBB addition has to be hand merged with the output report of the iptables-save command.
The file at /etc/sysconfig/iptables is an Amazon copyrighted document, we can't post or redistribute that file.

But the output of the iptables-save command is a "data report" generated (and owned) by yourself.
People who would like to see a BBB table for their Kindle model and Model's firmware version should post their output report(s) in this thread.

There is a kWall extension in the works, but there is no time-table set for when it might be completed.
This work-around is all that I can offer right now.

Current release at: http://www.mobileread.com/forums/sho...3&postcount=24
Attached Files
File Type: gz bbb-13038.tar.gz (761 Bytes, 48 views)

Last edited by knc1; 02-11-2013 at 07:42 PM.
knc1 is offline   Reply With Quote