Thread: Tutorial Block Big Brother
View Single Post
Old 02-11-2013, 08:40 PM   #24
knc1
Helpdesk Junkie
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 6,991
Karma: 6314536
Join Date: Feb 2012
Device: Too many.
BBB-13042

Our usual 'manual' installation process (still):
Spoiler:

Code:
core2quad frags $ scp added-bbb-13042.txt kpw:/mnt/us/extensions/bbb/frags
added-bbb-13042.txt                          100% 3680     3.6KB/s   00:00    

core2quad frags $ cd ../config.d

core2quad config.d $ scp del-bbb-13042.sh kpw:/mnt/us/extensions/bbb/config.d
del-bbb-13042.sh                                100% 3771     3.7KB/s   00:00

core2quad config.d $ cd
core2quad ~ $


Reload the kernel's firewall rules:
Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13042.txt"
Now the standard INPUT chain is what applies to all interfaces, plus a total for the specific interface inputs:
Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL INPUT"
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       127.0.0.0/8          0.0.0.0/0           
    0     0 DROP       all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   21  4059 usb-in     all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    6   504 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
  185 94842 wlan-in    all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ppp-in     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
And the 'detail' table listed as the 'target' has the specifics:
Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL wlan-in"
Chain wlan-in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  233  121K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    4  1216 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    2    56 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
The totals do not match above because of traffic on wlan0 in-between the reports.

This structure allows for the easy automation of adding and removing services **PER INTERFACE**.
I.E: It is unlikely that anyone will want to run rsync on anything other than the USB cable.
And other services only make sense on interfaces other than the USB cable.

It also allows modification **PER INTERFACE** of the BBB filter.
Exactly how that might be useful is yet to be known, but it is there to help the automation also.

After today's field test (minus one counter):
Spoiler:

Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL"
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  283  438K ACCEPT     all  --  lo     *       127.0.0.0/8          0.0.0.0/0           
    2   204 DROP       all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1017  106K usb-in     all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    7   552 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
 5226 2667K wlan-in    all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ppp-in     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  283  438K ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.0/8         
  677  116K usb-out    all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
10497 1167K wlan-out   all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ppp-out    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    2   204 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ppp-in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:40317 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:49317 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:33434 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:40317 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ppp-out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.0.0.0/12         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            50.16.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
    0     0 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            107.20.0.0/14       
    0     0 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            184.72.0.0/15       
    0     0 DROP       all  --  *      *       0.0.0.0/0            204.246.160.0/19    
    0     0 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19    
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain usb-in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1017  106K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain usb-out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.0.0.0/12         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            50.16.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
    0     0 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            107.20.0.0/14       
    0     0 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            184.72.0.0/15       
    0     0 DROP       all  --  *      *       0.0.0.0/0            204.246.160.0/19    
    0     0 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
    0     0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19    
  677  116K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain wlan-in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 5138 2657K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
   29  8960 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
   59  1652 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain wlan-out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            23.0.0.0/12         
 5051  828K DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            50.16.0.0/14        
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18     
    0     0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16       
    0     0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17       
   60  3772 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19      
    0     0 DROP       all  --  *      *       0.0.0.0/0            107.20.0.0/14       
   39  2300 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21      
    0     0 DROP       all  --  *      *       0.0.0.0/0            184.72.0.0/15       
    0     0 DROP       all  --  *      *       0.0.0.0/0            204.246.160.0/19    
   17  1192 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18    
   12   776 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19    
 5318  331K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0


Now delete the BBB filter from all three output interface chains:
Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13042.sh"
Now confirm that they are gone:
Spoiler:

Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL"
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  372 41617 ACCEPT     all  --  lo     *       127.0.0.0/8          0.0.0.0/0           
    0     0 DROP       all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  893 95180 usb-in     all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    6   504 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
   46  8624 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
 1239  635K wlan-in    all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ppp-in     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   504 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
  372 41617 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.0/8         
  634 83312 usb-out    all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
 2525  284K wlan-out   all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ppp-out    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ppp-in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:40317 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:49317 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:33434 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:40317 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ppp-out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain usb-in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  893 95180 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain usb-out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  634 83312 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain wlan-in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1222  634K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
    5  1520 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
   12   336 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain wlan-out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1312 85791 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0


Next - work on some buttons - RSN.
Attached Files
File Type: gz bbb-13042.tar.gz (2.4 KB, 27 views)
File Type: zip bbb-13042.zip (2.9 KB, 48 views)
knc1 is offline   Reply With Quote