02-07-2012, 10:05 AM | #1 |
Junior Member
Posts: 5
Karma: 10
Join Date: Feb 2012
Device: K4 Non-Touch
|
Iptables Rule to Block Amazon access to kindle 4 non-touch
Hey guys.
I am reading this forum for months. Thankyou again for the great support to all the great comunity here ! I have a kindle 4 non-touch - wich broke last week (without doing anything, the screen went all garbled and the lower part wasn't usable anymore). Amazon Waranty service - sent me another one wich arived today. You know the procedure ... they deregistered the old one - and registered the new one in my account. All went well. I ordered today a "replacement kindle 4 screen" from alibaba (some components ??? website). My old kindle it's rooted (THANKYOU guys again). IF I fix the screen (repair the screen) - I know I can still use the old one (without registering to amazon) by transfering books via USB from my computer BUT I need a viable way to BLOCK all traffic to and from amazon.com. Searching the internet i've seen some people saying that Amazon will "brick" my old device. Some people say they will "push update OTA"... well ... alot of opinions. I want to BLOCK Amazon access to my device permanently but allow internet access to any other website (aka wikipedia / google ... whatever). I've found a K3 related post here ... but altering the route with route add default deny ... won't work for me (I would like more than local LAN access). My question is actually NOT the iptables rules, but the IP's / addresses that I need to filter out. I will write the -DROP rules myself. Thankyou so much again ! |
02-07-2012, 10:34 AM | #2 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
I have seen postings of various Kindle 'stock' iprules that have one or more destination ports open (-dport 4xxxx -j ACCEPT) . Getting rid of those will handle in bound blocking. Out bound blocking is a bit more of a challenge using __only__ iptables since you can't block ip address ranges with iptable rules (directly). Here is what you want to block outbound: https://www.mobileread.com/forums/sho...93&postcount=1 Which (for address ranges) is easier to do with the routing table than iptables. Just replace the "from" address in the above post with "from 0/0" (any). |
|
Advert | |
|
02-07-2012, 04:18 PM | #3 |
Junior Member
Posts: 5
Karma: 10
Join Date: Feb 2012
Device: K4 Non-Touch
|
*filter
:INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A OUTPUT -d 178.236.6.0/16 -j DROP -A OUTPUT -d 23.0.0.0/12 -j DROP -A OUTPUT -d 50.16.0.0/14 -j DROP -A OUTPUT -d 72.21.192.0/19 -j DROP -A OUTPUT -d 107.20.0.0/14 -j DROP -A OUTPUT -d 184.72.0.0/15 -j DROP -A OUTPUT -d 204.246.160.0/19 -j DROP -A OUTPUT -d 205.251.192.0/18 -j DROP -A OUTPUT -d 207.171.160.0/19 -j DROP -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT #-A INPUT -i ppp0 -p tcp -m tcp --dport 40317 -j ACCEPT (commented out) -A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT ---------- > rest untouched <------------------ Also used a packet sniffer / tcpdump / netstat on my freebsd router to track connections. I hope I didn't miss anything including amazon.co.uk. [root@kindle sysconfig]# iptables --list Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state ESTABLISHED ACCEPT udp -- anywhere anywhere state ESTABLISHED ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere a23-0-0-0.deploy.akamaitechnologies.com/12 DROP all -- anywhere ec2-50-16-0-0.compute-1.amazonaws.com/14 DROP all -- anywhere 72.21.192.0/19 DROP all -- anywhere ec2-107-20-0-0.compute-1.amazonaws.com/14 DROP all -- anywhere ec2-184-72-0-0.us-west-1.compute.amazonaws.com/15 DROP all -- anywhere 204.246.160.0/19 DROP all -- anywhere ns-0.awsdns-00.com/18 DROP all -- anywhere 207.171.160.0/19 ACCEPT all -- anywhere localhost.localdomain [root@kindle sysconfig]# Seems fine. THANKYOU ! later edit - I also checked all theese files: etc/hosts etc/kdb.src/luigi/system/deamon/testd/proxy_host etc/kdb.src/luigi/system/deamon/wand/NETWORK_TEST_DOMAIN etc/sysconfig/ntp Opt/amazon/ebook/config/browser_wv.conf Opt/amazon/ebook/config/framework.fiona.conf Opt/amazon/ebook/config/ServerConfig.conf Opt/amazon/ebook/config/wrs.ini All I did there - is point amazon to 127.0.0.1 in hosts , and set ntp daemon default time server to "time.nist.gov" (eliminating the amazon's one). I didn't bother to mess up browser's settings because he fails to connect to amazon anyway (iptable prohibited). Also - this was a recomandation from another post - here it's yoshi not luigi (build name replace where needed). Last edited by x64; 02-07-2012 at 04:25 PM. Reason: adding file edit details. |
02-07-2012, 04:46 PM | #4 |
Junior Member
Posts: 5
Karma: 10
Join Date: Feb 2012
Device: K4 Non-Touch
|
Sorry for double post - can't edit and I think this one it's kind'a weard.
Since I finished with my old kindle (except screen wich should be fixed next week sometimes) ... I started work on my new one that arived today as I said. Moved all the books on it ... transfered books from my amazon account on it ... and so on. I was prepared to start rooting this new device ... when I find ON the NEW kindle ... a file called: " all_logs_as_of_Wed_Jun_01_2011_00_22_50.tar.gz " in the root of the "usb storage". I tar -xvzf that ... and surprise... there are logs starting 1 jun 2011 ... syslog, wtmp, connection logs ... and so on (basicaly all /var/log). All the files have the correct permissions, and creation date 01 Jun 2011. How come ? This is a "refurbished" device and they "forgot" the logs on it ?? and if so WHY ? Why do they archive the logs ? I really can't figure this out (just out of curiosity). The device looks really brand new ... Also ... can't be logs from my old device - somehow sent to my new one via whispernet since ... on my old device /var/log/messages for example ... it's hardlinked to /dev/null ... so no logs. Also I didn't own (or activate) the old device in June 2011. I bought the first one in ... november or so. Weard ... really weard. I am rooting now ... maybe they "forgot" something interesting on it somewhere ... |
02-07-2012, 04:48 PM | #5 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Ah, so - I was wrong, iptable rules do take address ranges.
I must have been reading a very, very old manual page. Sorry. You could put the blocking rules in output/postrouting. If you wanted to keep track of things, you could add -j ulog or -j log before each of the blocking rules. That would write a log line of the specific ip address(es) in a range that are bring used. How I came up with the ranges was to do a 'whois' on each of the few addresses that I saw to find who and what size the address range belonged to. My reasoning being, it is fairly easy to change a domain name, or even a machine's address but to buy another entire address range, just to side-step a publicly posted block would be an unlikely thing for Amazon to do. Note 1: later in that thread the firmware does try to find IPv6 addresses - If you have IPv6 connectivity there, it might be best to limit the machine to IPv4 only. Note 2: It is very unlikely that this prevents 3G communications if your Kindle has 3G - that is a matter still to be dealt with. |
Advert | |
|
02-07-2012, 05:25 PM | #6 |
Junior Member
Posts: 5
Karma: 10
Join Date: Feb 2012
Device: K4 Non-Touch
|
knc1 thankyou for all your advices. actually ... this is more your work than mine , since you pointed me in the right direction.
I will take care of ipv6 (didn't bother since I have only ipv4 conectivity here for now, and my router it's not ipv6 enabled "yet"). I will take care of it anyway and post results. I noticed that the ppp adapter it's "free". I commented out that also... but the "experimental browser" gave and error when trying to display google.com. don't know why. This way works fine. Anyway ... I an not worried. The new (and old) kindle are 4 non-touch WITHOUT 3G. Also both have special offers (wich I actually enjoy ) Thankyou again knc1 for your kindness. |
02-07-2012, 05:40 PM | #7 |
Bah, humbug!
Posts: 39,073
Karma: 157049943
Join Date: Jun 2009
Location: Chesapeake, VA, USA
Device: Kindle Oasis, iPad Pro, & a Samsung Galaxy S9.
|
Doesn't Amazon want the old device returned? I've broken a couple of Kindles, and they always sent the new one with a request that I return the broken unit via the free return shipping they provided.
|
02-07-2012, 07:15 PM | #8 |
Junior Member
Posts: 5
Karma: 10
Join Date: Feb 2012
Device: K4 Non-Touch
|
this is offtopic to developer / technical corner but ...
On the waranty live chat - the consultant told me that I NEED to send the old one back. In a few hours I got an email. This is a copy / paste from it ... --------------------------------------------------------------- Hello <real name>, I'm sorry your Kindle isn't working. I'm sending you a replacement Kindle via Priority International Courier to get it to you as soon as possible. Here's some information about how your order was placed to avoid any delays in customs: I created the replacement order with charges and refunded your original order. The charge for this order is $, and the refund is in the same amount. Both the charge and refund will be applied to the credit card used on the original order. The refund will appear in the next 2-3 business days. If there are any additional customs fees when your Kindle is delivered, please fax us the VAT and customs forms indicating the amount you were charged, as well as a copy of the invoice for your order. Please fax these documents to us at 304-522-8017. You should receive a response within 3-5 business days. Here's your replacement order information: Order Number: <removed / private info> Estimated Delivery Date: Feb 3, 2012 - Feb 6, 2012 Please don't modify the replacement order in Your Account, as that may delay the replacement shipment. There is no need to return the defective Kindle. Damaged or defective products can often be disposed of free of charge at local municipal collection points. For more information about where you can drop off your waste equipment for recycling, please contact your local city office, waste authority, approved WEEE scheme or your household waste disposal service. So .. .to answer your question, or if you check what other people say about this ... some are required to .. .some aren't. I guess it's the distance that matters. I am in eastern Europe ... and the costs for return (since THEY pay for that also) - make this whole return transaction not really profitable. I guess a consultant it's assesing the situation and deciding if it's worh to ask for the broken kindle or not (economicaly). Bye bye again . |
02-08-2012, 02:29 AM | #9 |
Bah, humbug!
Posts: 39,073
Karma: 157049943
Join Date: Jun 2009
Location: Chesapeake, VA, USA
Device: Kindle Oasis, iPad Pro, & a Samsung Galaxy S9.
|
Thanks for that. I'm in the U.S., and I suppose that does make a difference.
Back to your regularly scheduled topic. |
11-01-2012, 10:04 AM | #10 |
Enthusiast
Posts: 44
Karma: 5666
Join Date: Dec 2011
Device: K3-3G, KT SO
|
Hi, I'm in a exactly same situation here. I've already changed ntp server and firewall rules in /etc/sysconfig/iptables. I'm also faking kindle registration (to have ability to make collections)
but after reboot firewall rules are not working (although they are visible in this file) - what is the problem ? another thing - how can I unlock browser - so I can browse over wifi? right now it's blocked (hangs up after I turn wifi on) later : ok, I messed up sth with iptables file, so it didn't import it correctly few things remain though : - if I block amazon IPs - wifi connects but doesn't show WIFI icon (it is misleading) [I found sth about it here : http://info.iet.unipi.it/~luigi/kind...indle-terminal -- but should I make script which runs it every minute ? ] - I cannot open web browser - I want to use it, because I know one site from which I can download mobi files - which will be useful in this situation.. later2 : - wifi icon is on (somehow it didn't add default route to my router, but later it worked - default route is in route table, wifi icon is lit) - I modified browser files indicated above, but web browser still didn't start.. the only file I haven't modified is Opt/amazon/ebook/config/framework.fiona.conf (I think other modifications influence this file..) Last edited by miguelos; 11-02-2012 at 08:02 AM. |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Original content of iptables of Kindle Keyboard WIFI firmware 3.0.2 | donnie888 | Kindle Developer's Corner | 2 | 01-14-2012 07:26 AM |
Can't access Calibre Server with Kindle touch | ganymede | Devices | 3 | 12-14-2011 12:20 PM |
Kindle Touch Debug Mode Access | choclit | Kindle Developer's Corner | 2 | 11-22-2011 10:23 AM |
ISP Ordered to block access to web site...in the UK | TGS | News | 86 | 08-05-2011 07:16 AM |
Block Amazon Access ? | dhruvbhutani | Kindle Developer's Corner | 10 | 08-03-2011 02:05 AM |