Thread: Kindle Touch and PuTTy
View Single Post
Old 06-20-2012, 07:27 AM   #16
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by hawhill View Post
iptables is probably a good option here, yes. The rules are slightly wrong, though. First, the "ACCEPT" lines would never match since the "-j" jump to the DROP target is a final action. The DROP target should be jumped to after checking the more specific ACCEPT rules.

And then if they would match - it's very probable that the Kindle's wlan0 interface will have a local IP, so all outgoing connections would be allowed (-s is the "source" IP switch). You probably meant to allow connections _to_ the local network, which would be the "-d" flag instead of the "-s" flag. Although I can't really see why even local connections should be allowed. The DROP line would be sufficient.
Agree to all of above, but there are some even more basics being missed out on - - -

You do not have to write that ruleset table yourself, in fact it is rarely written by hand.
There is an iptables command option to write it correctly, in the format that matches the version/implementation of iptables that is being used.

Note: These are Busybox based systems - which may or may not have the for-real iptables command installed rather than using the Busybox version. You really need to check which version (Busybox minimum implementation or Real, full implementation).

The ruleset for iptables is a declarative programming language -
Never, ever, quote only a sub-set of the commands present.
The above quote is either (incorrectly) hand-written or only a sub-set of the commands present.

A Kindle may have at least three interface devices - 3G, Wifi, and USBnet.
When you include an interface name in a rule, it applies to only that interface.
As an example: If you want the quoted rules above to apply to all interfaces (regardless of how many) then do not include the interface limitation ("-i <interface name>").

As Hawhill points out, "drop" and "accept" are two of the (several) terminal targets - - -
So if you "drop" everything on "-i wlan0" then that is the end of the life of those packets, they are dead on the floor, never to be seen or heard from again.

As Hawhill points out, the distinction of "source" and "destination" is reversed in the above example.

As the O.P. points out, the above snippet was never tried (because it can not possibly work as described/intended).

In addition to only being applied to one of the three network interfaces, as written above - - -
It will probably be only minutes (or a few days) before some crafty kid learns how to rename an interface so that it no longer matches any of the interface names mentioned in this snippet.

Translation: Nice try but useless as presented.
knc1 is offline   Reply With Quote