Installation and verification of BBB, issue 13039
- Should be sufficently complete now to use on all Kindle models.
- Only tested on: K3 and Kpw firmwares, so it might miss something used by other models.
- Updated to include all currently known Amazon (and associates) IP address ranges.
- Known registration information file now included in the released archives.
- Since technical difficulties force restoring only a complete table, this one is a lot closer to a real-life firewall.
Install the rule-set and matching BBB delete script:
Code:
core2quad usb-0.7.N $ scp added-bbb-13039.txt kpw:/mnt/us/extensions/bbb/frags
added-bbb-13039.txt 100% 2234 2.2KB/s 00:00
core2quad usb-0.7.N $ scp del-bbb-13039.sh kpw:/mnt/us/extensions/bbb/config.d
del-bbb-13039.sh 100% 1155 1.1KB/s 00:00
core2quad usb-0.7.N $ ssh kpw "ls -l /mnt/us/extensions/bbb/*"
/mnt/us/extensions/bbb/config.d:
-rwxr-xr-x 1 root root 741 Feb 7 15:57 del-bbb-13038.sh
-rwxr-xr-x 1 root root 1155 Feb 8 18:07 del-bbb-13039.sh
/mnt/us/extensions/bbb/frags:
-rwxr-xr-x 1 root root 1210 Feb 7 16:33 added-bbb-13038.txt
-rwxr-xr-x 1 root root 2234 Feb 8 18:07 added-bbb-13039.txt
Re-load the kernel's firewall tables:
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables-restore < /mnt/us/extensions/bbb/frags/added-bbb-13039.txt"
Crank up your Wifi (or 3G - untested) play around a bit, and ...
The current firewall should now look like this:
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL"
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
62 12125 ACCEPT all -- usb0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 127.0.0.0/8 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0
103 50939 ACCEPT udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
2 624 DROP udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0
1 28 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:40317
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:49317
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:33434
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:40317
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 108 packets, 6809 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8
69 17026 ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 23.0.0.0/12
87 14268 DROP all -- * * 0.0.0.0/0 23.20.0.0/14
0 0 DROP all -- * * 0.0.0.0/0 50.16.0.0/14
0 0 DROP all -- * * 0.0.0.0/0 54.240.128.0/18
0 0 DROP all -- * * 0.0.0.0/0 54.240.0.0/12
0 0 DROP all -- * * 0.0.0.0/0 64.208.0.0/16
0 0 DROP all -- * * 0.0.0.0/0 64.209.0.0/17
14 904 DROP all -- * * 0.0.0.0/0 72.21.192.0/19
0 0 DROP all -- * * 0.0.0.0/0 107.20.0.0/14
6 360 DROP all -- * * 0.0.0.0/0 176.32.96.0/21
0 0 DROP all -- * * 0.0.0.0/0 178.236.0.0/21
0 0 DROP all -- * * 0.0.0.0/0 184.72.0.0/15
0 0 DROP all -- * * 0.0.0.0/0 204.246.160.0/19
4 304 DROP all -- * * 0.0.0.0/0 205.251.192.0/18
0 0 DROP all -- * * 0.0.0.0/0 207.171.160.0/19
Note the much better accounting and the removal of some lab126 screw-ups.
To remove the BBB restrictions (only the BBB output restrictions):
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; /mnt/us/extensions/bbb/config.d/del-bbb-13039.sh"
Confirm that they are now gone:
Code:
core2quad usb-0.7.N $ ssh kpw "PATH=$PATH ; iptables -vnL OUTPUT"
Chain OUTPUT (policy ACCEPT 261 packets, 16392 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 127.0.0.0/8
118 27290 ACCEPT all -- * usb0 0.0.0.0/0 0.0.0.0/0