Kindle Touch and PuTTy

[knc1]

Quote:

Originally Posted by hawhill

iptables is probably a good option here, yes. The rules are slightly wrong, though. First, the "ACCEPT" lines would never match since the "-j" jump to the DROP target is a final action. The DROP target should be jumped to after checking the more specific ACCEPT rules.

And then if they would match - it's very probable that the Kindle's wlan0 interface will have a local IP, so all outgoing connections would be allowed (-s is the "source" IP switch). You probably meant to allow connections _to_ the local network, which would be the "-d" flag instead of the "-s" flag. Although I can't really see why even local connections should be allowed. The DROP line would be sufficient.

Agree to all of above, but there are some even more basics being missed out on - - -

You do not have to write that ruleset table yourself, in fact it is rarely written by hand.
There is an iptables command option to write it correctly, in the format that matches the version/implementation of iptables that is being used.

Note: These are Busybox based systems - which may or may not have the for-real iptables command installed rather than using the Busybox version. You really need to check which version (Busybox minimum implementation or Real, full implementation).

The ruleset for iptables is a declarative programming language -
Never, ever, quote only a sub-set of the commands present.
The above quote is either (incorrectly) hand-written or only a sub-set of the commands present.

A Kindle may have at least three interface devices - 3G, Wifi, and USBnet.
When you include an interface name in a rule, it applies to only that interface.
As an example: If you want the quoted rules above to apply to all interfaces (regardless of how many) then do not include the interface limitation ("-i <interface name>").

As Hawhill points out, "drop" and "accept" are two of the (several) terminal targets - - -
So if you "drop" everything on "-i wlan0" then that is the end of the life of those packets, they are dead on the floor, never to be seen or heard from again.

As Hawhill points out, the distinction of "source" and "destination" is reversed in the above example.

As the O.P. points out, the above snippet was never tried (because it can not possibly work as described/intended).

In addition to only being applied to one of the three network interfaces, as written above - - -
It will probably be only minutes (or a few days) before some crafty kid learns how to rename an interface so that it no longer matches any of the interface names mentioned in this snippet.

Translation: Nice try but useless as presented.

[bhaak]

Quote:

Originally Posted by hawhill

iptables is probably a good option here, yes. The rules are slightly wrong, though. First, the "ACCEPT" lines would never match since the "-j" jump to the DROP target is a final action. The DROP target should be jumped to after checking the more specific ACCEPT rules.

And then if they would match - it's very probable that the Kindle's wlan0 interface will have a local IP, so all outgoing connections would be allowed (-s is the "source" IP switch). You probably meant to allow connections _to_ the local network, which would be the "-d" flag instead of the "-s" flag.

Thanks, it's been awhile since I used iptables and you are of course completely right.

Quote:

Originally Posted by hawhill

Although I can't really see why even local connections should be allowed. The DROP line would be sufficient.

But then you can't ssh by wi-fi into your kindle anymore. At least for me that's really neat and I wouldn't want to miss it and having to handle the usb cable for transferring stuff.

I've updated my post with rules that allow private IPs and drops anything else for all interfaces.

[bhaak]

Quote:

Originally Posted by knc1

Note: These are Busybox based systems - which may or may not have the for-real iptables command installed rather than using the Busybox version. You really need to check which version (Busybox minimum implementation or Real, full implementation).

The iptables command identifies itself as "iptables v1.3.8". Looks like the real, although slightly oldish, deal.

Quote:

Originally Posted by knc1

The ruleset for iptables is a declarative programming language -
Never, ever, quote only a sub-set of the commands present.
The above quote is either (incorrectly) hand-written or only a sub-set of the commands present.

If you've read my posting attentively enough, you would have seen that I said to insert the rules into /etc/sysconfig/iptables. This file is used as input for iptables-restore when the network is started.

Quote:

Originally Posted by knc1

A Kindle may have at least three interface devices - 3G, Wifi, and USBnet.
When you include an interface name in a rule, it applies to only that interface.

It was intentional to only use the wlan0 interface because you don't need to restrict the usbnet interface. If you've got access to a computer that can connect to the internet, you don't need the kindle connected via a USB cable.

But I actually forgot the 3G interface. I always forget that one, because I don't have a KT with 3G and IMO it's more useful to Amazon than for the user.

Quote:

Originally Posted by knc1

As the O.P. points out, the above snippet was never tried (because it can not possibly work as described/intended).

No, it wasn't tried out because I wasn't in a wi-fi from which I could ssh into my Kindle to test it.

Quote:

Originally Posted by knc1

In addition to only being applied to one of the three network interfaces, as written above - - -
It will probably be only minutes (or a few days) before some crafty kid learns how to rename an interface so that it no longer matches any of the interface names mentioned in this snippet.

Which would be a cool thing to do for any kid. You can't completely lock down a device like the Kindle so it is impossible to access the internet. The only way would be to not give the device to the user in the first place. You can only make it harder. As soon as somebody has the device in his or her hands, they can do quite a lot with it to customize ... but we already know this, after all we're here in Kindle Developer's Corner.

[knc1]

Quote:

Originally Posted by bhaak

Which would be a cool thing to do for any kid. You can't completely lock down a device like the Kindle so it is impossible to access the internet. The only way would be to not give the device to the user in the first place. You can only make it harder. As soon as somebody has the device in his or her hands, they can do quite a lot with it to customize ... but we already know this, after all we're here in Kindle Developer's Corner.

Agreed, but that is (was?) the O.P.'s original purpose in posting here.
A "child proof" e-book reader.
Yeah, right!

The place to insert the rules is into the Kid, not the Kindle.
As others here have already written.

[bhaak]

Quote:

Originally Posted by knc1

Agreed, but that is (was?) the O.P.'s original purpose in posting here.
A "child proof" e-book reader.
Yeah, right!

The place to insert the rules is into the Kid, not the Kindle.
As others here have already written.

Yes, or if my Kid was able to circumvent all I could setup, it had earned to have free access.