KUAL Firewall with BBB filter

[baalajimaestro]

Quote:

Originally Posted by sammayor

Rules are added for WiFi only

How to use this sir...
Please help me....

[ivegotkindle]

Can I whitelist a certain IP in the rules? If yes, how?


Thank you!

edit:

I've try to enable the firewall but it returns error

Quote:

FATAL: Module ip_tables not found.
iptables-restore v1.4.15: iptables-restore: unable to initialize table 'filter'

Error occurred at line: 5
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Failed to install basic BBB firewall!

[knc1]

Quote:

Originally Posted by ivegotkindle

Can I whitelist a certain IP in the rules? If yes, how?


Thank you!

edit:

I've try to enable the firewall but it returns error

Your Kindle must be jail broken.
You must have KUAL installed.

Read the directions.
Read /extensions/bbb/frags/fw-base.txt -
Every entry whitelists or blacklists one or more IP addresses. Hint: look for the words "ACCEPT" and "DROP".
You should be able to figure out how to add one with that many examples.

[ivegotkindle]

Quote:

Originally Posted by knc1

Your Kindle must be jail broken.
You must have KUAL installed.

Read the directions.
Read /extensions/bbb/frags/fw-base.txt -
Every entry whitelists or blacklists one or more IP addresses. Hint: look for the words "ACCEPT" and "DROP".
You should be able to figure out how to add one with that many examples.

Jailbroken, KUAL installed, I can even ssh into it. That error log is the content of BBB-LastAction.txt. The existence of that log file is a proof that the script itself was able to run but somehow its returning some error that I didn't understand.

--

My question is, if the fw-base content is 35.176.0.0/13 --> its gonna block ip from 35.176.0.1 to 35.183.255.254 right? Then, if I for example, want to whitelist one IP address 35.176.1.1: should I just make a new entry with that IP or should I change the whole IP range (just add that specific IP or edit 35.176.0.0/13)?

Or to rephrase the question: Can a rule override another (if placed after the whole ip range rules of course)?

--

Quote:

-A wlan-out -d 35.176.0.0/13 -j DROP
-A wlan-out -d 35.176.1.1 -j ACCEPT

Will that block 35.176.0.1 to 35.183.255.254 WHILE passing 35.176.1.1?

[knc1]

Quote:

Originally Posted by ivegotkindle

Jailbroken, KUAL installed, I can even ssh into it. That error log is the content of BBB-LastAction.txt. The existence of that log file is a proof that the script itself was able to run but somehow its returning some error that I didn't understand.

--

My question is, if the fw-base content is 35.176.0.0/13 --> its gonna block ip from 35.176.0.1 to 35.183.255.254 right? Then, if I for example, want to whitelist one IP address 35.176.1.1: should I just make a new entry with that IP or should I change the whole IP range (just add that specific IP or edit 35.176.0.0/13)?

Or to rephrase the question: Can a rule override another (if placed after the whole ip range rules of course)?

--



Will that block 35.176.0.1 to 35.183.255.254 WHILE passing 35.176.1.1?

They are executed in order, top to bottom.
So reverse the order you just wrote them in.
I.E: In the order you wrote them in, *.1.1 would have been dropped before it got to the next rule to be accepted.

[ivegotkindle]

Quote:

Originally Posted by knc1

They are executed in order, top to bottom.
So reverse the order you just wrote them in.
I.E: In the order you wrote them in, *.1.1 would have been dropped before it got to the next rule to be accepted.

Ah I got it, so it's behaving like Windows' hosts file

Thank you very much!

[pavel-s]

Is it still working in 2019? Will it block OTA updates? Does it have conflicts with KUAL -> Helper+ > Prevent OTA?

[knc1]

Quote:

Originally Posted by pavel-s

Is it still working in 2019? Will it block OTA updates? Does it have conflicts with KUAL -> Helper+ > Prevent OTA?

Mostly, since Kindles do not (yet) support IPv6, meaning Amazon is stuck with the same IPv4 allocations that it had six years ago.

Did at the time and probably still does but it should really be tested again.

None.

[pavel-s]

Quote:

Originally Posted by knc1

Mostly, since Kindles do not (yet) support IPv6, meaning Amazon is stuck with the same IPv4 allocations that it had six years ago.

Did at the time and probably still does but it should really be tested again.

None.

Sounds good. And thanks for the explanation!

Oh, it seems like it's using static IPs\subnets - not sure how often they can be changed or already changed. It may make sense to figure out amazon servers URIs (if any on a kindle).

I'm wondering if there is an easy way to log requests (especially ones that happen during receiving kindle updates) and automatically update the rules.

[knc1]

Quote:

Originally Posted by pavel-s

Sounds good. And thanks for the explanation!

Oh, it seems like it's using static IPs\subnets - not sure how often they can be changed or already changed. It may make sense to figure out amazon servers URIs (if any on a kindle).

I'm wondering if there is an easy way to log requests (especially ones that happen during receiving kindle updates) and automatically update the rules.

I am pretty sure that I included the reference for each block.
Those are the blocks assigned by IANA for Amazon's use.
Since all of the IPv4 blocks where assigned years ago, with none available for new assignment, it is unlikely that Amazon will be buying any new blocks.


There is a market among owners of assigned blocks (like when a company goes out of business and sells off their block), but it isn't all that frequent.


I have heard that Amazon has acquired one new assigned block since the table was last updated.
But neither I nor anyone else has had the time to go through the Amazon assignments since the table was created.


Maybe I should publish an update at least once every six years, but don't bet on it.


The table exists inside of visible USB storage and the package contains all the information needed to change/update that table.

[pavel-s]

Quote:

Originally Posted by knc1

I am pretty sure that I included the reference for each block.
Those are the blocks assigned by IANA for Amazon's use.
Since all of the IPv4 blocks where assigned years ago, with none available for new assignment, it is unlikely that Amazon will be buying any new blocks.


There is a market among owners of assigned blocks (like when a company goes out of business and sells off their block), but it isn't all that frequent.


I have heard that Amazon has acquired one new assigned block since the table was last updated.
But neither I nor anyone else has had the time to go through the Amazon assignments since the table was created.


Maybe I should publish an update at least once every six years, but don't bet on it.


The table exists inside of visible USB storage and the package contains all the information needed to change/update that table.

This is a cool way of thinking. I've never thought about it as of assigned blocks. Thanks.

[lordeagle]

Is there today any shared approach to auto-enable the iptables after a reboot?
Usbnetwork and Cover services seem to be capable of clutching into the bootstrap of the device.
So can't I just call 'mnt/us/extensions/bbb/bin/load-bbb.sh' somewhere? I'm a little afraid that I'll do a reboot somewhen and forget to re-apply the rules. Any ideas?

[NiLuJe]

That's upstart's job (pun intended) on the Kindle, and I suggest being fairly familiar both with upstart and the Kindle's fairly insane depgraph so that you don't screw it up, because screwing it up *will* soft-brick it.

[everrest]

I get the following error in my last action log.

FATAL:Module ip_tables not found.
iptables-restore v.1.4.15: iptables-restore: unable to initialize table 'filter'

Error occured at line: 5
Try 'iptables-restore -h' or 'iptables-restore --help' for more information.

Failed to install basic BBB firewall!

[NiLuJe]

Look at the age of the thread, maybe?

(Also, fix your device info block. "Kindle" doesn't help anyone, we're up to 122 variants and counting).