Iptables Rule to Block Amazon access to kindle 4 non-touch

[x64]

Hey guys.

I am reading this forum for months. Thankyou again for the great support to all the great comunity here !

I have a kindle 4 non-touch - wich broke last week (without doing anything, the screen went all garbled and the lower part wasn't usable anymore).

Amazon Waranty service - sent me another one wich arived today. You know the procedure ... they deregistered the old one - and registered the new one in my account. All went well.

I ordered today a "replacement kindle 4 screen" from alibaba (some components ??? website).

My old kindle it's rooted (THANKYOU guys again).

IF I fix the screen (repair the screen) - I know I can still use the old one (without registering to amazon) by transfering books via USB from my computer BUT I need a viable way to BLOCK all traffic to and from amazon.com. Searching the internet i've seen some people saying that Amazon will "brick" my old device. Some people say they will "push update OTA"... well ... alot of opinions.

I want to BLOCK Amazon access to my device permanently but allow internet access to any other website (aka wikipedia / google ... whatever). I've found a K3 related post here ... but altering the route with route add default deny ... won't work for me (I would like more than local LAN access).

My question is actually NOT the iptables rules, but the IP's / addresses that I need to filter out. I will write the -DROP rules myself.

Thankyou so much again !

[knc1]

Quote:

Originally Posted by x64

Hey guys.

I am reading this forum for months. Thankyou again for the great support to all the great comunity here !

I have a kindle 4 non-touch - wich broke last week (without doing anything, the screen went all garbled and the lower part wasn't usable anymore).

Amazon Waranty service - sent me another one wich arived today. You know the procedure ... they deregistered the old one - and registered the new one in my account. All went well.

I ordered today a "replacement kindle 4 screen" from alibaba (some components ??? website).

My old kindle it's rooted (THANKYOU guys again).

IF I fix the screen (repair the screen) - I know I can still use the old one (without registering to amazon) by transfering books via USB from my computer BUT I need a viable way to BLOCK all traffic to and from amazon.com. Searching the internet i've seen some people saying that Amazon will "brick" my old device. Some people say they will "push update OTA"... well ... alot of opinions.

I want to BLOCK Amazon access to my device permanently but allow internet access to any other website (aka wikipedia / google ... whatever). I've found a K3 related post here ... but altering the route with route add default deny ... won't work for me (I would like more than local LAN access).

My question is actually NOT the iptables rules, but the IP's / addresses that I need to filter out. I will write the -DROP rules myself.

Thankyou so much again !

In bound connections can be blocked with the usual not allowing NEW connections.
I have seen postings of various Kindle 'stock' iprules that have one or more destination ports open (-dport 4xxxx -j ACCEPT) .
Getting rid of those will handle in bound blocking.

Out bound blocking is a bit more of a challenge using __only__ iptables since you can't block ip address ranges with iptable rules (directly).

Here is what you want to block outbound:
https://www.mobileread.com/forums/sho...93&postcount=1

Which (for address ranges) is easier to do with the routing table than iptables.
Just replace the "from" address in the above post with "from 0/0" (any).

[x64]

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A OUTPUT -d 178.236.6.0/16 -j DROP
-A OUTPUT -d 23.0.0.0/12 -j DROP
-A OUTPUT -d 50.16.0.0/14 -j DROP
-A OUTPUT -d 72.21.192.0/19 -j DROP
-A OUTPUT -d 107.20.0.0/14 -j DROP
-A OUTPUT -d 184.72.0.0/15 -j DROP
-A OUTPUT -d 204.246.160.0/19 -j DROP
-A OUTPUT -d 205.251.192.0/18 -j DROP
-A OUTPUT -d 207.171.160.0/19 -j DROP



-A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT
#-A INPUT -i ppp0 -p tcp -m tcp --dport 40317 -j ACCEPT (commented out)
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT


---------- > rest untouched <------------------

Also used a packet sniffer / tcpdump / netstat on my freebsd router to track connections. I hope I didn't miss anything including amazon.co.uk.


[root@kindle sysconfig]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere a23-0-0-0.deploy.akamaitechnologies.com/12
DROP all -- anywhere ec2-50-16-0-0.compute-1.amazonaws.com/14
DROP all -- anywhere 72.21.192.0/19
DROP all -- anywhere ec2-107-20-0-0.compute-1.amazonaws.com/14
DROP all -- anywhere ec2-184-72-0-0.us-west-1.compute.amazonaws.com/15
DROP all -- anywhere 204.246.160.0/19
DROP all -- anywhere ns-0.awsdns-00.com/18
DROP all -- anywhere 207.171.160.0/19
ACCEPT all -- anywhere localhost.localdomain
[root@kindle sysconfig]#


Seems fine.

THANKYOU !


later edit - I also checked all theese files:

etc/hosts
etc/kdb.src/luigi/system/deamon/testd/proxy_host
etc/kdb.src/luigi/system/deamon/wand/NETWORK_TEST_DOMAIN
etc/sysconfig/ntp
Opt/amazon/ebook/config/browser_wv.conf
Opt/amazon/ebook/config/framework.fiona.conf
Opt/amazon/ebook/config/ServerConfig.conf
Opt/amazon/ebook/config/wrs.ini

All I did there - is point amazon to 127.0.0.1 in hosts , and set ntp daemon default time server to "time.nist.gov" (eliminating the amazon's one). I didn't bother to mess up browser's settings because he fails to connect to amazon anyway (iptable prohibited). Also - this was a recomandation from another post - here it's yoshi not luigi (build name replace where needed).

[x64]

Sorry for double post - can't edit and I think this one it's kind'a weard.

Since I finished with my old kindle (except screen wich should be fixed next week sometimes) ... I started work on my new one that arived today as I said.
Moved all the books on it ... transfered books from my amazon account on it ... and so on.

I was prepared to start rooting this new device ... when I find ON the NEW kindle ... a file called: " all_logs_as_of_Wed_Jun_01_2011_00_22_50.tar.gz " in the root of the "usb storage".

I tar -xvzf that ... and surprise... there are logs starting 1 jun 2011 ... syslog, wtmp, connection logs ... and so on (basicaly all /var/log). All the files have the correct permissions, and creation date 01 Jun 2011.

How come ? This is a "refurbished" device and they "forgot" the logs on it ?? and if so WHY ? Why do they archive the logs ? I really can't figure this out (just out of curiosity). The device looks really brand new ...

Also ... can't be logs from my old device - somehow sent to my new one via whispernet since ... on my old device /var/log/messages for example ... it's hardlinked to /dev/null ... so no logs.

Also I didn't own (or activate) the old device in June 2011. I bought the first one in ... november or so.

Weard ... really weard. I am rooting now ... maybe they "forgot" something interesting on it somewhere ...

[knc1]

Ah, so - I was wrong, iptable rules do take address ranges.

I must have been reading a very, very old manual page. Sorry.

You could put the blocking rules in output/postrouting.

If you wanted to keep track of things, you could add -j ulog or -j log before each of the blocking rules.
That would write a log line of the specific ip address(es) in a range that are bring used.

How I came up with the ranges was to do a 'whois' on each of the few addresses that I saw to find who and what size the address range belonged to.

My reasoning being, it is fairly easy to change a domain name, or even a machine's address but to buy another entire address range, just to side-step a publicly posted block would be an unlikely thing for Amazon to do.

Note 1: later in that thread the firmware does try to find IPv6 addresses -
If you have IPv6 connectivity there, it might be best to limit the machine to IPv4 only.

Note 2: It is very unlikely that this prevents 3G communications if your Kindle has 3G - that is a matter still to be dealt with.

[x64]

knc1 thankyou for all your advices. actually ... this is more your work than mine , since you pointed me in the right direction.

I will take care of ipv6 (didn't bother since I have only ipv4 conectivity here for now, and my router it's not ipv6 enabled "yet"). I will take care of it anyway and post results.

I noticed that the ppp adapter it's "free". I commented out that also... but the "experimental browser" gave and error when trying to display google.com. don't know why. This way works fine.

Anyway ... I an not worried. The new (and old) kindle are 4 non-touch WITHOUT 3G. Also both have special offers (wich I actually enjoy )

Thankyou again knc1 for your kindness.

[WT Sharpe]

Doesn't Amazon want the old device returned? I've broken a couple of Kindles, and they always sent the new one with a request that I return the broken unit via the free return shipping they provided.

[x64]

this is offtopic to developer / technical corner but ...

On the waranty live chat - the consultant told me that I NEED to send the old one back.

In a few hours I got an email. This is a copy / paste from it ...


---------------------------------------------------------------

Hello <real name>,

I'm sorry your Kindle isn't working. I'm sending you a replacement Kindle via Priority International Courier to get it to you as soon as possible.

Here's some information about how your order was placed to avoid any delays in customs:

I created the replacement order with charges and refunded your original order. The charge for this order is $, and the refund is in the same amount. Both the charge and refund will be applied to the credit card used on the original order. The refund will appear in the next 2-3 business days.

If there are any additional customs fees when your Kindle is delivered, please fax us the VAT and customs forms indicating the amount you were charged, as well as a copy of the invoice for your order. Please fax these documents to us at 304-522-8017. You should receive a response within 3-5 business days.

Here's your replacement order information:

Order Number: <removed / private info>

Estimated Delivery Date: Feb 3, 2012 - Feb 6, 2012

Please don't modify the replacement order in Your Account, as that may delay the replacement shipment.

There is no need to return the defective Kindle. Damaged or defective products can often be disposed of free of charge at local municipal collection points. For more information about where you can drop off your waste equipment for recycling, please contact your local city office, waste authority, approved WEEE scheme or your household waste disposal service.

So .. .to answer your question, or if you check what other people say about this ... some are required to .. .some aren't. I guess it's the distance that matters. I am in eastern Europe ... and the costs for return (since THEY pay for that also) - make this whole return transaction not really profitable. I guess a consultant it's assesing the situation and deciding if it's worh to ask for the broken kindle or not (economicaly).

Bye bye again .

[WT Sharpe]

Thanks for that. I'm in the U.S., and I suppose that does make a difference.

Back to your regularly scheduled topic.

[miguelos]

Hi, I'm in a exactly same situation here. I've already changed ntp server and firewall rules in /etc/sysconfig/iptables. I'm also faking kindle registration (to have ability to make collections)
but after reboot firewall rules are not working (although they are visible in this file) - what is the problem ?
another thing - how can I unlock browser - so I can browse over wifi? right now it's blocked (hangs up after I turn wifi on)

later :
ok, I messed up sth with iptables file, so it didn't import it correctly

few things remain though :
- if I block amazon IPs - wifi connects but doesn't show WIFI icon (it is misleading)
[I found sth about it here : http://info.iet.unipi.it/~luigi/kind...indle-terminal -- but should I make script which runs it every minute ? ]

- I cannot open web browser - I want to use it, because I know one site from which I can download mobi files - which will be useful in this situation..

later2 :
- wifi icon is on (somehow it didn't add default route to my router, but later it worked - default route is in route table, wifi icon is lit)
- I modified browser files indicated above, but web browser still didn't start..

the only file I haven't modified is
Opt/amazon/ebook/config/framework.fiona.conf

(I think other modifications influence this file..)