Can't connect via wifi, but wifi works

[koziej]

Hello.
I had a jailbroken Kindle Touch with working bearbox/ssh server.
I installed usbnetwork package because i needed rsync and it installed properly, but for some reason i can no longer connect ot kindle via WIFI.
Connecting through usbnet works, wifi form kindle works and i can access inter, I can ping my comptuer from kinde, but I cannot ping Kindle from my computer, nor connect (it timeouts)
iptables allow all connections.
I've run out of ideas, where should I look for the source of this problem?

Any hints welcome,

and by the way: thanks for all the great work on Kindle hacking!

Best regards,

m.

[NiLuJe]

Did you ever tweak iptables yourself, and how did you configure USBNet?

[koziej]

I didn't touch iptables, just checked if maybe there are some rules.

I placed update_usbnet_0.15.N_install_touch_pw.bin in /mnt/us using SCP and updated via standard settings->update procedure (i had to enable "lipc-set-prop com.lab126.ota startUpdate 1" for the menu option to be enabled ).
Then i couldn't connect via ssh anymore, so i trind USB cable and managed to log into device.
I found usbnet to be installed where it should, with logfile saying:

Code:

[root@kindle usbnet]# cat usbnetwork_install.log 

usbnetwork v0.15.N, Thu Jan 16 22:15:55 GMT+10:19100 2014
symbolic link /usr/local/bin/dbclient -> /usr/local/bin/dropbearmulti exists, deleting...
symbolic link /usr/local/bin/dropbearconvert -> /usr/local/bin/dropbearmulti exists, deleting...
symbolic link /usr/local/bin/dropbearkey -> /usr/local/bin/dropbearmulti exists, deleting...
symbolic link /usr/local/sbin/dropbear -> /usr/local/bin/dropbearmulti exists, deleting...
symbolic link /usr/local/bin/scp -> /usr/local/bin/dropbearmulti exists, deleting...
/usr/local/etc/dropbear/dropbear_rsa_host_key exists, deleting...
/usr/local/bin/dropbearmulti exists, deleting...
/usr/local/bin/usbnetwork.sh exists and is not a symlink, deleting...
Binary /usr/sbin/lsof already exists, skipping...
S/N B011140714771FD1 => NIC 111FD1
mac is valid
kdb keyfile looks ok
Done!

yet the wifi is in staty I described. I can connect out of kindle, I can't connect to Kindle. Pretty strange. Maybe I need some hard reboot of the device? Could it be wifi card problem?


m.

[koziej]

also I don't think it's the router problem - It worked this morning without changing anything, I have of course restarted it.

[knc1]

Quote:

Originally Posted by koziej

I cannot ping Kindle from my computer, nor connect (it timeouts)
iptables allow all connections.

Well - only if you (or some program) altered the iptables.
Normally, it drops all incoming (original) connections.

Install the Kindle Firewall -

Add an "accept" statement to the top of the chain appropriate to what you want to allow and from which device.
Our (my) firewall is structured a chain-per-device and any exceptions go in as rule #1 (each time an exception is made).

[koziej]

does it look right?

Code:

 iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:40317 
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            udp spt:40317 
ACCEPT     udp  --  anywhere             anywhere            udp spt:49317 
ACCEPT     udp  --  anywhere             anywhere            udp spt:33434 
ACCEPT     all  --  localhost.localdomain  anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             localhost.localdomain

[NiLuJe]

What knc1 said. On a vanilla device, you shouldn't have been able to connect over WiFi. USBNet doesn't touch that by default.

There's a dedicated setting in USBNet that makes a hole in iptables for SSH over WiFi [and only that] (aptly title 'Enable SSH over WiFI' in the KUAL extension) , but if you want more control over the whole rule set, follow knc1's advice, it's his baby .

[koziej]

Yes! That's right.
There's even USE_WIFI option. I guess my previous usbnet did that by default.
Thank You!

[NiLuJe]

Err, no, that has *never* been the default, because it also disables the 'no password' code path in dropbear .

[knc1]

Quote:

Originally Posted by koziej

does it look right?

Code:

 iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:40317 
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            udp spt:40317 
ACCEPT     udp  --  anywhere             anywhere            udp spt:49317 
ACCEPT     udp  --  anywhere             anywhere            udp spt:33434 
ACCEPT     all  --  localhost.localdomain  anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             localhost.localdomain

#1 - that looks like the Amazon firewall - I offer zero, zip, nada support for that.

#2 - consistent with the behavior you describe - drops any new incoming connections (except to Amazon's control ports).

#3 - When (If) you install the KUAL firewall, you can disable the BBB (Block Big Brother) feature and still have the more detailed (and easily changed) firewall structure.