02-08-2013, 10:18 AM | #1 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Block Big Brother
This thread is a continuation of managing the Kindle firewall at:
https://www.mobileread.com/forums/sho...d.php?t=205068 This thread is also based on materials in the following threads:
References: The *nix command crib-sheet linked to from this thread: https://www.mobileread.com/forums/sho...d.php?t=204534 NOTE: The version of those commands provided by Busybox on the Kindle usually only have a limited sub-set of the command features described in the crib-sheet. iptables report reading: https://www.mobileread.com/forums/sho...d.php?t=204676 Amazon-net-13039: https://www.mobileread.com/forums/sho...35&postcount=5 Packet flow chart and iptables tutoral: http://www.frozentux.net/iptables-tu...ERSINGOFTABLES Release posts: bbb-13038: Bottom of this post. bbb-13039: https://www.mobileread.com/forums/sho...60&postcount=6 bbb-13040: https://www.mobileread.com/forums/sho...1&postcount=13 bbb-13042: https://www.mobileread.com/forums/sho...3&postcount=24 Public Repository: http://hg.minimodding.com/repos/sys/kBBB.hg/ Conditions: In the prior thread on the basics of ssh/scp on the Kindle, you learned how to remove the banner and do remote exectuted programs via ssh. In the prior thread on the Linux firewall tables, you found there are no restrictions on the USB0 interface. Your also read about the restrictions present on packets originating on the wlan0 (and 3G) interfaces. You made note of the sequence required to start/stop USBnetwork, from the spoiler in the USBnetworking thread, which is repeated in the spoiler here: Spoiler:
You may or may not have configured your network automation to automatically bring up the link and set the point-to-point address that you are using on your host PC. There are a number of network automation things used by the various Linux distributions, refer to your distribution information on how to set up yours (not here, your distro's help forum). Windows and MacOSx also have provisions for automating the host connection setup. Crank-up your USB networked Kindle (a Kpw-5.3.3 used here) and be sure things are still working the way we left them (connection details by nickname, no banner from dropbear): Code:
core2quad ~ $ ssh kpw ################################################# # N O T I C E * N O T I C E * N O T I C E # ################################################# Rootfs is mounted read-only. Invoke mntroot rw to switch back to a writable rootfs. ################################################# [root@kindle root]# You can leave that connection up for your own exploring during the rest of this post. Someday, the BBB extension may have buttons, but for now, do this manually. Even worse than that, doing it manually reveals some software bugs in the Amazon build of the iptables* utilities. So what follows is not the way I would choose to do this, if I had a choice. Create a home for the BBB extension iptable script(s) and the modified iptables rule-sets(s): Code:
core2quad ~ $ ssh kpw "mkdir -p /mnt/us/extensions/bbb/config.d" core2quad ~ $ ssh kpw "mkdir -p /mnt/us/extensions/bbb/frags" core2quad ~ $ ssh kpw "ls -l /mnt/us/extensions/bbb" drwxr-xr-x 2 root root 8192 Feb 7 15:39 config.d drwxr-xr-x 2 root root 8192 Feb 7 15:40 frags Code:
core2quad usb-0.7.N $ scp added-bbb-13038.txt kpw:/mnt/us/extensions/bbb/frags added-bbb-13038.txt 100% 1210 1.2KB/s 00:00 core2quad usb-0.7.N $ scp del-bbb-13038.sh kpw:/mnt/us/extensions/bbb/config.d del-bbb-13038.sh 100% 741 0.7KB/s 00:00 Now run the iptables-restore utility on the Kindle to install the modified table rule-set: Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13038.txt" Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT" Chain OUTPUT (policy ACCEPT 45 packets, 6024 bytes) pkts bytes target prot opt in out source destination 8 696 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.1 0 0 DROP all -- * * 0.0.0.0/0 23.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 54.240.0.0/12 0 0 DROP all -- * * 0.0.0.0/0 54.240.128.0/18 0 0 DROP all -- * * 0.0.0.0/0 64.208.0.0/16 0 0 DROP all -- * * 0.0.0.0/0 64.209.0.0/17 0 0 DROP all -- * * 0.0.0.0/0 72.21.192.0/19 0 0 DROP all -- * * 0.0.0.0/0 176.32.96.0/21 0 0 DROP all -- * * 0.0.0.0/0 178.236.0.0/21 0 0 DROP all -- * * 0.0.0.0/0 205.251.192.0/18 0 0 DROP all -- * * 0.0.0.0/0 207.171.160.0/19 You don't need to do anything else, other than connect to Wifi, any Wifi. Wait a few moments, and re-check the counters on the output chain again: Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT" Chain OUTPUT (policy ACCEPT 186 packets, 20334 bytes) pkts bytes target prot opt in out source destination 8 696 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.1 73 11972 DROP all -- * * 0.0.0.0/0 23.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 54.240.0.0/12 0 0 DROP all -- * * 0.0.0.0/0 54.240.128.0/18 0 0 DROP all -- * * 0.0.0.0/0 64.208.0.0/16 0 0 DROP all -- * * 0.0.0.0/0 64.209.0.0/17 8 544 DROP all -- * * 0.0.0.0/0 72.21.192.0/19 12 720 DROP all -- * * 0.0.0.0/0 176.32.96.0/21 6 360 DROP all -- * * 0.0.0.0/0 178.236.0.0/21 4 304 DROP all -- * * 0.0.0.0/0 205.251.192.0/18 0 0 DROP all -- * * 0.0.0.0/0 207.171.160.0/19 If you open the 'store' now, after a long, long, long wait you should get a "We applogize, but something went wrong ..." message. Yeah, buddy, and it is going to keep right on "going wrong". BIG NOTE: This is the Kindle Paperwhite version 5.3.3 with the table from the 5.3.1 firmware! Different version of the firmware may use different Amazon Cloud access addresses! AN EVEN BIGGER NOTE: You must re-load the modified table **after** any system re-boot! A little note: If you get the urge to hack the modified table on your own, your "recovery process" is to re-boot the Kindle. That will re-install the stock iptables rule-set. To remove the "Big Brother Block" (BBB) : Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13038.sh" Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT" Chain OUTPUT (policy ACCEPT 631 packets, 53736 bytes) pkts bytes target prot opt in out source destination 8 696 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.1 The file at /etc/sysconfig/iptables is an Amazon copyrighted document, we can't post or redistribute that file. But the output of the iptables-save command is a "data report" generated (and owned) by yourself. People who would like to see a BBB table for their Kindle model and Model's firmware version should post their output report(s) in this thread. There is a kWall extension in the works, but there is no time-table set for when it might be completed. This work-around is all that I can offer right now. Current release at: https://www.mobileread.com/forums/sho...3&postcount=24 Last edited by knc1; 02-11-2013 at 07:42 PM. |
02-08-2013, 11:13 AM | #2 |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Týr
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
iptables v1.4.16.3 2007q3 TC multi-compliant.
BR2_PACKAGE_IPTABLES:
Linux kernel (2.4+) firewall, NAT, and packet mangling tools. http://www.iptables.org/ License Details: http://www.iptables.org/licensing.html GPL 2.0 built for compliance using the Code Sourcery 2007 q3 ToolChain (flags by Niluje et al) Standard Buildroot Source Code for the era of this post. See BR GIT Commits for that [root@kindle root]# LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/mnt/us/usr/lib /mnt/us/usr/sbin/iptables --help Spoiler:
Should be good for the job. On all kindles K2 and newer... I overkilled on the so naming redundancy as I believe is your preference. If I missed out any essential "etc" stuff let me know. I ditched the man pages and such. Enjoy. EDIT: Rudimentary tests like --list work fine... EDIT: Added iproute2 from https://www.mobileread.com/forums/sho...d.php?t=204385 Last edited by twobob; 02-08-2013 at 02:15 PM. Reason: newer not older |
02-08-2013, 01:29 PM | #3 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
Been giving some more thought about the kWall package (to be) while giving my Kpw its first access to a public (non-AT&T) hotspot. Whoot! I get to post the first "end-user report" (see below). I suppose we should chat a bit more about kWall, later - like: "After Work". |
|
02-08-2013, 01:42 PM | #4 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Field report #1
Kpw-5.3.3 with BBB installed, at a public, non-AT&T (free) WiFi hotspot.
Some of the blocked ranges are not being hit. This is expected behavior. bbb-13038 has both USA and UK cloud access ranges blocked. The end-user experience could be a bit better - might have a go at using the REJECT (code) target rather than DROP. At least then the foolish lab126 software might at least give up in less than 5 minutes or so. Non-Amazon DNS is not being used. Need to fix that. ICMP filter is allowing routing messages. Need to fix that. For development purposes, adding some pcap format logging to what is being dropped (or rejected) might give a better idea of what the device is attempting to do. There seems to be a "limit counter" in the system, which only allows a limited number of non-Amazon Wifi connections to fail trying to "call home" - and then it forces you to select a different network. What is quite possible the "limit counter" is being displayed on the 711 page. Need to find and fix that if possible. Also, a bit of "mangle" table diddling of packet fields may be in order - further research required on that subject. In particular, diddling the SECMARK and CONNSECMARK fields a bit (no pun intended). Chatty Kathy with the gag on: Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT" Chain OUTPUT (policy ACCEPT 959 packets, 70802 bytes) pkts bytes target prot opt in out source destination 506 109K ACCEPT all -- * lo 0.0.0.0/0 127.0.0.1 747 123K DROP all -- * * 0.0.0.0/0 23.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 54.240.0.0/12 0 0 DROP all -- * * 0.0.0.0/0 54.240.128.0/18 0 0 DROP all -- * * 0.0.0.0/0 64.208.0.0/16 0 0 DROP all -- * * 0.0.0.0/0 64.209.0.0/17 66 4008 DROP all -- * * 0.0.0.0/0 72.21.192.0/19 48 2880 DROP all -- * * 0.0.0.0/0 176.32.96.0/21 0 0 DROP all -- * * 0.0.0.0/0 178.236.0.0/21 28 1808 DROP all -- * * 0.0.0.0/0 205.251.192.0/18 24 1440 DROP all -- * * 0.0.0.0/0 207.171.160.0/19 Last edited by knc1; 02-08-2013 at 02:54 PM. |
02-08-2013, 04:56 PM | #5 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Amazon-net-13039
This information also included in the 13039 BBB release archives.
All information based on public registration data as of: Feb. 8, 2013. K3: 23.0.0.0/12 NetRange: 23.20.0.0 - 23.23.255.255 CIDR: 23.20.0.0/14 OriginAS: AS16509 NetName: AMAZON-EC2-USEAST-10 RegDate: 2011-09-19 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZO-4 K3: 50.16.0.0/14 NetRange: 50.16.0.0 - 50.19.255.255 CIDR: 50.16.0.0/14 OriginAS: NetName: AMAZON-EC2-8 RegDate: 2010-10-07 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZO-4 K3: 72.21.192.0/19 NetRange: 72.21.192.0 - 72.21.223.255 CIDR: 72.21.192.0/19 OriginAS: NetName: AMAZON-02 RegDate: 2004-12-30 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZON-4 K3: 107.20.0.0/14 NetRange: 107.20.0.0 - 107.23.255.255 CIDR: 107.20.0.0/14 OriginAS: NetName: AMAZON-EC2-8 RegDate: 2011-05-03 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZO-4 K3: 184.72.0.0/15 NetRange: 184.72.0.0 - 184.73.255.255 CIDR: 184.72.0.0/15 OriginAS: NetName: AMAZON-EC2-7 RegDate: 2010-01-26 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZO-4 K3: 204.246.160.0/19 NetRange: 204.246.160.0 - 204.246.191.255 CIDR: 204.246.160.0/19 OriginAS: AS7224, AS16509, AS39111 NetName: AMAZON-04 RegDate: 2009-07-17 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZON-4 K3: 205.251.192.0/18 NetRange: 205.251.192.0 - 205.251.255.255 CIDR: 205.251.192.0/18 OriginAS: AS7224, AS16509, AS39111 NetName: AMAZON-05 RegDate: 2010-08-27 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZON-4 K3: 207.171.160.0/19 NetRange: 207.171.160.0 - 207.171.191.255 CIDR: 207.171.160.0/19 OriginAS: AS16509 NetName: AMAZON-01 RegDate: 1999-09-23 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZON-4 Kpw: 23.20.0.0/14 NetRange: 23.20.0.0 - 23.23.255.255 CIDR: 23.20.0.0/14 OriginAS: AS16509 NetName: AMAZON-EC2-USEAST-10 RegDate: 2011-09-19 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZO-4 Kpw: 54.240.0.0/12 Kpw: 54.240.128.0/18 ** If wanting to screen the sub-net ** Amazon Technologies Inc. AMAZON-2011L (NET-54-240-0-0-1) 54.240.0.0 - 54.255.255.255 Amazon Web Services, LLC AWSEMAIL-Z (NET-54-240-0-0-2) 54.240.0.0 - 54.240.63.255 Kpw: 64.208.0.0/16 Kpw: 64.209.0.0/17 NetRange: 64.208.0.0 - 64.209.127.255 CIDR: 64.208.0.0/16, 64.209.0.0/17 OriginAS: AS3549 RegDate: 2000-03-15 Updated: 2012-03-02 OrgName: Level 3 Communications, Inc. OrgId: LVLT Kpw: 72.21.192.0/19 NetRange: 72.21.192.0 - 72.21.223.255 CIDR: 72.21.192.0/19 OriginAS: NetName: AMAZON-02 RegDate: 2004-12-30 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZON-4 Kpw: 176.32.96.0/21 inetnum: 176.32.96.0 - 176.32.103.255 netname: amazon-EU-IAD-PROD descr: PROD IAD country: NL Kpw: 178.236.0.0/21 inetnum: 178.236.0.0 - 178.236.7.255 netname: IE-AMAZON descr: Amazon Data Services Ireland country: IE Kpw: 205.251.192.0/18 NetRange: 205.251.192.0 - 205.251.255.255 CIDR: 205.251.192.0/18 OriginAS: AS7224, AS16509, AS39111 NetName: AMAZON-05 RegDate: 2010-08-27 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZON-4 Kpw: 207.171.160.0/19 NetRange: 207.171.160.0 - 207.171.191.255 CIDR: 207.171.160.0/19 OriginAS: AS16509 NetName: AMAZON-01 RegDate: 1999-09-23 Updated: 2012-03-02 OrgName: Amazon.com, Inc. OrgId: AMAZON-4 |
02-08-2013, 07:58 PM | #6 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Release 13039
Installation and verification of BBB, issue 13039
Install the rule-set and matching BBB delete script: Code:
core2quad usb-0.7.N $ scp added-bbb-13039.txt kpw:/mnt/us/extensions/bbb/frags added-bbb-13039.txt 100% 2234 2.2KB/s 00:00 core2quad usb-0.7.N $ scp del-bbb-13039.sh kpw:/mnt/us/extensions/bbb/config.d del-bbb-13039.sh 100% 1155 1.1KB/s 00:00 core2quad usb-0.7.N $ ssh kpw "ls -l /mnt/us/extensions/bbb/*" /mnt/us/extensions/bbb/config.d: -rwxr-xr-x 1 root root 741 Feb 7 15:57 del-bbb-13038.sh -rwxr-xr-x 1 root root 1155 Feb 8 18:07 del-bbb-13039.sh /mnt/us/extensions/bbb/frags: -rwxr-xr-x 1 root root 1210 Feb 7 16:33 added-bbb-13038.txt -rwxr-xr-x 1 root root 2234 Feb 8 18:07 added-bbb-13039.txt Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13039.txt" The current firewall should now look like this: Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL" Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 62 12125 ACCEPT all -- usb0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 127.0.0.0/8 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 103 50939 ACCEPT udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 2 624 DROP udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 1 28 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:40317 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:49317 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:33434 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:40317 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 108 packets, 6809 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8 69 17026 ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 23.0.0.0/12 87 14268 DROP all -- * * 0.0.0.0/0 23.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 50.16.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 54.240.128.0/18 0 0 DROP all -- * * 0.0.0.0/0 54.240.0.0/12 0 0 DROP all -- * * 0.0.0.0/0 64.208.0.0/16 0 0 DROP all -- * * 0.0.0.0/0 64.209.0.0/17 14 904 DROP all -- * * 0.0.0.0/0 72.21.192.0/19 0 0 DROP all -- * * 0.0.0.0/0 107.20.0.0/14 6 360 DROP all -- * * 0.0.0.0/0 176.32.96.0/21 0 0 DROP all -- * * 0.0.0.0/0 178.236.0.0/21 0 0 DROP all -- * * 0.0.0.0/0 184.72.0.0/15 0 0 DROP all -- * * 0.0.0.0/0 204.246.160.0/19 4 304 DROP all -- * * 0.0.0.0/0 205.251.192.0/18 0 0 DROP all -- * * 0.0.0.0/0 207.171.160.0/19 To remove the BBB restrictions (only the BBB output restrictions): Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13039.sh" Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT" Chain OUTPUT (policy ACCEPT 261 packets, 16392 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8 118 27290 ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0 |
02-08-2013, 09:32 PM | #7 |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Týr
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
Given a smattering of iptables --check that could be end user friendly...
And would only require one button "TOGGLE BBB". Thoughts on that? |
02-08-2013, 09:46 PM | #8 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Too late to night for checking on that, but . . . .
The following is for the case of two buttons, ON and OFF -
I will try to get my K3 as upto date with current customizations as I have my Kpw and test out the 3G stuff - but as of this release, it is the same functionality that was in the "stock" firewall. |
02-08-2013, 10:02 PM | #9 |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Týr
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
I gave the script a read.
a single parsed existance check for a single known value in each instance would do the toggle job, no more complex that that in my mind. single check. ready for a button. I noted a handy way of injecting info into the status bar on the touch (Eureka? I will dig it out) that may have some value on PW also. will check on other models... |
02-08-2013, 10:09 PM | #10 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
If the end-user wants to **not** block something I choose to block, all they have to do is put a # in front of the line. Ah, the *.txt rule-sets supports comments - and I put some in this most recent one - just look at the add-bbb-13039.txt rule-set. |
|
02-08-2013, 10:12 PM | #11 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
I am hoping we can get the "button label feedback" we have discussed by the time I get kWall written - that will cut the number of all buttons required in half, me and every other helper.
|
02-08-2013, 10:22 PM | #12 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Without any reports or feedback - I had to use kTerm during my "public hotspot" testing today. . . .
I was smirking a bit at the other fools in-range trying to get into my e-book. Nobody was expecting an e-book with an industrial strength firewall. I don't know if it is POI ready - Finch is pretty smart. Last edited by knc1; 02-08-2013 at 10:26 PM. |
02-08-2013, 10:39 PM | #13 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Release 13040
After three re-visions, everyone should know the manual "install" process by now:
Code:
core2quad usb-0.7.N $ scp added-bbb-13040.txt kpw:/mnt/us/extensions/bbb/frags added-bbb-13040.txt 100% 2474 2.4KB/s 00:00 core2quad usb-0.7.N $ scp del-bbb-13040.sh kpw:/mnt/us/extensions/bbb/config.d del-bbb-13040.sh 100% 1506 1.5KB/s 00:00 core2quad usb-0.7.N $ ssh kpw "ls -l /mnt/us/extensions/bbb/*" /mnt/us/extensions/bbb/config.d: -rwxr-xr-x 1 root root 741 Feb 7 15:57 del-bbb-13038.sh -rwxr-xr-x 1 root root 1125 Feb 8 18:20 del-bbb-13039.sh -rwxr-xr-x 1 root root 1506 Feb 9 09:38 del-bbb-13040.sh /mnt/us/extensions/bbb/frags: -rwxr-xr-x 1 root root 1210 Feb 7 16:33 added-bbb-13038.txt -rwxr-xr-x 1 root root 2236 Feb 8 18:29 added-bbb-13039.txt -rwxr-xr-x 1 root root 2474 Feb 9 09:38 added-bbb-13040.txt Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13040.txt" Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL" Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 21 4059 ACCEPT all -- usb0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 127.0.0.0/8 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 DROP udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:40317 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:49317 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:33434 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:40317 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8 0 0 DROP all -- * * 0.0.0.0/0 23.0.0.0/12 0 0 DROP all -- * * 0.0.0.0/0 23.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 50.16.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 54.240.128.0/18 0 0 DROP all -- * * 0.0.0.0/0 54.240.0.0/12 0 0 DROP all -- * * 0.0.0.0/0 64.208.0.0/16 0 0 DROP all -- * * 0.0.0.0/0 64.209.0.0/17 0 0 DROP all -- * * 0.0.0.0/0 72.21.192.0/19 0 0 DROP all -- * * 0.0.0.0/0 107.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 176.32.96.0/21 0 0 DROP all -- * * 0.0.0.0/0 178.236.0.0/21 0 0 DROP all -- * * 0.0.0.0/0 184.72.0.0/15 0 0 DROP all -- * * 0.0.0.0/0 204.246.160.0/19 0 0 DROP all -- * * 0.0.0.0/0 205.251.192.0/18 0 0 DROP all -- * * 0.0.0.0/0 207.171.160.0/19 21 2910 ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL" Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 44 8222 ACCEPT all -- usb0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 127.0.0.0/8 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 16 6620 ACCEPT udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 2 624 DROP udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:40317 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:49317 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:33434 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:40317 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8 0 0 DROP all -- * * 0.0.0.0/0 23.0.0.0/12 7 1148 DROP all -- * * 0.0.0.0/0 23.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 50.16.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 54.240.128.0/18 0 0 DROP all -- * * 0.0.0.0/0 54.240.0.0/12 0 0 DROP all -- * * 0.0.0.0/0 64.208.0.0/16 0 0 DROP all -- * * 0.0.0.0/0 64.209.0.0/17 8 512 DROP all -- * * 0.0.0.0/0 72.21.192.0/19 0 0 DROP all -- * * 0.0.0.0/0 107.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 176.32.96.0/21 0 0 DROP all -- * * 0.0.0.0/0 178.236.0.0/21 0 0 DROP all -- * * 0.0.0.0/0 184.72.0.0/15 0 0 DROP all -- * * 0.0.0.0/0 204.246.160.0/19 2 152 DROP all -- * * 0.0.0.0/0 205.251.192.0/18 0 0 DROP all -- * * 0.0.0.0/0 207.171.160.0/19 46 10308 ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0 16 1070 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 After a short "Public Wifi HotSpot" visit (three carriers available, including AT&T). None of which Chatty Kathy can successfully connect too (connects to home Wifi just fine); Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL" Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 67 12937 ACCEPT all -- usb0 * 0.0.0.0/0 0.0.0.0/0 180 40362 ACCEPT all -- lo * 127.0.0.0/8 0.0.0.0/0 1 48 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 320 162K ACCEPT udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 6 1992 DROP udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 3 84 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:40317 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:49317 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:33434 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:40317 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 180 40362 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8 0 0 DROP all -- * * 0.0.0.0/0 23.0.0.0/12 295 48380 DROP all -- * * 0.0.0.0/0 23.20.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 50.16.0.0/14 0 0 DROP all -- * * 0.0.0.0/0 54.240.128.0/18 0 0 DROP all -- * * 0.0.0.0/0 54.240.0.0/12 0 0 DROP all -- * * 0.0.0.0/0 64.208.0.0/16 0 0 DROP all -- * * 0.0.0.0/0 64.209.0.0/17 18 1144 DROP all -- * * 0.0.0.0/0 72.21.192.0/19 0 0 DROP all -- * * 0.0.0.0/0 107.20.0.0/14 19 1120 DROP all -- * * 0.0.0.0/0 176.32.96.0/21 0 0 DROP all -- * * 0.0.0.0/0 178.236.0.0/21 0 0 DROP all -- * * 0.0.0.0/0 184.72.0.0/15 0 0 DROP all -- * * 0.0.0.0/0 204.246.160.0/19 4 304 DROP all -- * * 0.0.0.0/0 205.251.192.0/18 8 480 DROP all -- * * 0.0.0.0/0 207.171.160.0/19 71 17714 ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0 330 20591 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 On the input chain: Code:
3 84 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 On the output chain BBB filter: Code:
19 1120 DROP all -- * * 0.0.0.0/0 176.32.96.0/21 8 480 DROP all -- * * 0.0.0.0/0 207.171.160.0/19 Also, local host (lo) is in heavy use. Which may or may not be related. Removing the BBB filter: Code:
ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13040.sh" To see an example, just try removing the BBB filter twice in a row. A "long touch" (on the Kpw) will bring up a dialog box that allows you to delete the file. Now confirm that the BBB filter is gone: Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT" Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 384 61548 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8 781 115K ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0 330 20591 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Last edited by knc1; 02-09-2013 at 01:36 PM. |
02-08-2013, 10:50 PM | #14 |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Týr
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
re parsing
|
02-09-2013, 02:51 AM | #15 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Are you meaning that: iptables --check that was posted above?
It is there with that design, or at least all that is practical to include. At the top of each chain are two counters ; If the chain rules are intended to account for everything, then they should always be zero:zero. Notice that the OUTPUT chain counters are not zero:zero Which means the "audit" counts on each rule do not total up to the number of packets:bytes that entered the chain (the top count is the number un-accounted for.) Which means that top count of packets and bytes where handled by the "default" policy of the chain - in this case "drop". Which is not necessarily "wrong" - just not included in the itemized counts. There are (well "was supposed to be") a total accounting of all traffic by interface:protocol that was expected on the network. Which is in each case followed by a "catch-all" counter of that which wasn't expected. To "check" the rule-set, duplicate that final "catch-all" rule with the exception of the target, instead, use the non-terminating target of "log". And then, the order matters. **That** is very hard to "check" other than by eye. Plus, it depends on the routing rules in place when the packet hit the firewall. See the pretty packet-flow chart in the linked off-site reference. The "mis-placed" rule would have allowed packets to escape the drop filter ****IF**** there had been a routing rule that allowed it. There isn't (wasn't). The two "missing" rules are the reason that the output chain is reporting un-audited packets. So fixing 13039 with 13040 can wait until I have had a night's sleep. No harm, no foul. ;) |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Big Brother Revisited | adamselene | Kindle Developer's Corner | 7 | 02-11-2013 08:06 AM |
Amazon - Big Brother or Benefactor? | poohbear_nc | Amazon Kindle | 6 | 10-15-2010 01:49 PM |
Seriously thoughtful Say hello to Big Brother | ardeegee | Lounge | 4 | 11-04-2009 05:08 PM |
Big Brother is watching UK | kaas | Lounge | 9 | 08-22-2008 09:57 AM |
Big Brother at work | Francesco | Lounge | 0 | 12-08-2004 06:02 PM |