Managing the Kindle firewall

[knc1]

This thread is a continuation of the Kindle basics of ssh/scp thread at:
https://www.mobileread.com/forums/sho...d.php?t=204942

This thread is also based on materials in the following threads:

• Basics of iptables: https://www.mobileread.com/forums/sho...d.php?t=204676
• USBnetwork package installation under the KUAL launcher: https://www.mobileread.com/forums/sho...d.php?t=204450
• Kpw-5.3.1 -> Kpw-5.3.3 update and installation of the KUAL launcher: https://www.mobileread.com/forums/sho...&postcount=192

Reference:
The *nix command crib-sheet linked to from this thread: https://www.mobileread.com/forums/sho...d.php?t=204534
NOTE: The version of those commands provided by Busybox on the Kindle usually only have a limited sub-set of the command features described in the crib-sheet.

Conditions:
In the prior thread on the basics of ssh/scp on the Kindle, you learned how to remove the banner and do remote exectuted programs via ssh.
In the prior thread on the Linux firewall tables, you found there are no restrictions on the USB0 interface. Your also read about the restrictions present on packets originating on the wlan0 (and 3G) interfaces.

You made note of the sequence required to start/stop USBnetwork, from the spoiler in the USBnetworking thread, which is repeated in the spoiler here:

Spoiler:

Quote:

This order should work on all firmware versions.
Early firmwares, v-2 and v-3 may also work with the cable attached.

• un-plug cable (if still plugged in)
• toggle USBnetwork ON in launcher
• plug the cable
• kill any automation (or configure yours to do: )
• sudo ip link set up dev usb0 (It may already be up)
• sudo ip address add 192.168.15.201 peer 192.168.15.244 dev usb0
• use the networking until your done (telnet ken1 OR ssh kpw)
• un-plug cable
• toggle USBnetwork OFF in launcher

You may or may not have configured your network automation to automatically bring up the link and set the point-to-point address that you are using on your host PC.
There are a number of network automation things used by the various Linux distributions, refer to your distribution information on how to set up yours (not here, your distro's help forum).
Windows and MacOSx also have provisions for automating the host connection setup.

Crank-up your USB networked Kindle (a Kpw-5.3.3 used here) and be sure things are still working the way we left them (connection details by nickname, no banner from dropbear):

Code:

core2quad ~ $ ssh kpw
#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  # 
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################
[root@kindle root]#

It LIVES!
You can leave that connection up for your own exploring during the rest of this post.

The first thing we discover is that iptables can not be run remotely because of a "not found" condition.
The PATH=$PATH work-around:

Spoiler:

Find out why (check the remote shell environment):

Code:

core2quad ~ $ ssh kpw "set"
HOME='/tmp/root'
IFS=' 	
'
KINDLE_TZ='GMT-06:00'
LANG='en_US.utf8'
LC_ALL='en_US.utf8'
LOGNAME='root'
PATH='/usr/bin:/bin'
PPID='17801'
PS1='\w \$ '
PS2='> '
PS4='+ '
PWD='/var/tmp/root'
SHELL='/bin/sh'
SSH_CONNECTION='192.168.15.201 35635 192.168.15.244 22'
USER='root'

The PATH variable has been a bit "over trimmed" for our liking.
So until that gets a more permanent fix, we will just re-set it in each remote command:

Code:

core2quad ~ $ ssh kpw "PATH=$PATH ; set"
HOME='/tmp/root'
IFS=' 	
'
KINDLE_TZ='GMT-06:00'
LANG='en_US.utf8'
LC_ALL='en_US.utf8'
LOGNAME='root'
PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games'
PPID='17803'
PS1='\w \$ '
PS2='> '
PS4='+ '
PWD='/var/tmp/root'
SHELL='/bin/sh'
SSH_CONNECTION='192.168.15.201 35636 192.168.15.244 22'
USER='root'

A "funky, shouldn't work but it does" re-setting of the environment PATH.

Get a current listing of how the three primary chains in the filter table are currently setup:

Code:

core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL"
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            tcp dpt:40317 
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  wlan0  any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  wlan0  any     anywhere             anywhere            state ESTABLISHED 
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            state ESTABLISHED 
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            udp spt:40317 
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            udp spt:49317 
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            udp spt:33434 
 5696   32M ACCEPT     all  --  lo     any     localhost.localdomain  anywhere            
10795  832K ACCEPT     all  --  usb0   any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 7717 packets, 1300K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5696   32M ACCEPT     all  --  any    lo      anywhere             localhost.localdomain 
core2quad ~ $

The "how to read that" thread is here: https://www.mobileread.com/forums/sho...d.php?t=204676

Now lets compare that with the stored system configuration file supplied by lab126 (on Kpw-5.3.3):

Code:

core2quad ~ $ ssh kpw "PATH=$PATH ; cat /etc/sysconfig/iptables"

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# TCP handling. Allow incoming TCP TPH on WAN
-A INPUT -i ppp0 -p tcp -m tcp --dport 40317 -j ACCEPT 
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 

# UDP Handling. Only allow device initiated connections.
-A INPUT -i wlan0 -p udp -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -i ppp0 -p udp -m state --state ESTABLISHED -j ACCEPT 
# ALLOW UDP PINs ports for TPHv3.0
-A INPUT -i ppp0 -p udp --sport 40317 -j ACCEPT
-A INPUT -i ppp0 -p udp --sport 49317 -j ACCEPT
-A INPUT -i ppp0 -p udp --sport 33434 -j ACCEPT

# Loopback. All traffic allowed.
-A INPUT -i lo -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# Usbnet. All traffic allowed.
-A INPUT -i usb0 -j ACCEPT 

# ICMP. Allow only responses to local connections
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT 

COMMIT
core2quad ~ $

Where does a configuration file like that come from?

Code:

core2quad ~ $ ssh kpw "PATH=$PATH ; iptables-save"
# Generated by iptables-save v1.3.8 on Wed Feb  6 13:21:59 2013
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7981:1338955]
-A INPUT -i ppp0 -p tcp -m tcp --dport 40317 -j ACCEPT 
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i wlan0 -p udp -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -i ppp0 -p udp -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -i ppp0 -p udp -m udp --sport 40317 -j ACCEPT 
-A INPUT -i ppp0 -p udp -m udp --sport 49317 -j ACCEPT 
-A INPUT -i ppp0 -p udp -m udp --sport 33434 -j ACCEPT 
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT 
-A INPUT -i usb0 -j ACCEPT 
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT 
COMMIT
# Completed on Wed Feb  6 13:21:59 2013

It is originally created by a utility that snapshots the kernel's firewall rules.
This output would include the secondary and user-defined chains if they where in use.

There is a corresponding iptables-restore utility.
The one shipped with the version 5.3.3 firmware is terribly broken. Earlier Kindle firmwares are probably as bad or worse.

You can see that one possible work-flow in defining a custom firewall is to build it up one rule, one chain at a time; test until tired; save it in a file; edit in comments of why you did what you did (which looks like how lab126 did it).

The three kernel network control bits of most interest here are:

Code:

# Packet forwarding : 0 == Disable, 1 == Enable
core2quad ~ $ ssh kpw "cat /proc/sys/net/ipv4/ip_forward"
0

# IPv4 dynamic address rewrite : 0 == Disable, 1 == Enable, 2 == Enable&Log
core2quad ~ $ ssh kpw "cat /proc/sys/net/ipv4/ip_dynaddr"
0

# Make multiple, physical paths work as one logical network
# 0 == Disable, 1 == Enable
core2quad ~ $ ssh kpw "cat /proc/sys/net/ipv4/conf/all/proxy_arp"
0

Translation of all the above:
The Kindle kernel firewall **as shipped** is intended to keep out everything except Amazon by wireless (Wifi & 3G) and allow the owner in, only if directly wired to the Kindle by the USB cable.
None of the other common IPv4 things are supported, nor is IPv6.

By default, the iptables list function only lists the three chains in the filter table.
There are three (or four in new kernels) tables: filter, mangle, nat (and some kernels: raw).
There are more chains than what is shown by default, in a quick summary:
Mangle

• PREROUTING
• INPUT
• FORWARD
• OUTPUT
• POSTROUTING

Nat

• PREROUTING
• POSTROUTING
• OUTPUT

Filter

• INPUT
• FORWARD
• OUTPUT

Raw <- if your kernel has this one.

• PREROUTING
• OUTPUT

Any of which may have user-defined chains added to them.
For more than you ever wanted to know on this subject, including a pretty picture of where the packets go, see:
http://www.frozentux.net/iptables-tu...ERSINGOFTABLES

From the packet flow-chart in the above linked page, it can be seen that if we want to block packets generated by local processes, then the OUTPUT chain of the FILTER table is where we want to put our rules.

Thread on the (K3 old and Kpw new) address ranges to block, see:
https://www.mobileread.com/forums/sho...d.php?t=200475

Are we still connected?
What interfaces are up now and how is our battery condition?

Code:

core2quad usb-0.7.N $ ssh kpw "echo -n 'Charge: ' ; gasgauge-info -c ; echo -n 'Load: ' ; gasgauge-info -l"
Charge: 98%
Load: 185 mA
core2quad usb-0.7.N $ ssh kpw "ip -o link | cut -f 2,9 -d ' ' "
lo: UNKNOWN
usb0: UP

Before we mess with the kernel's firewall tables, take a look at the above report on how they are currently setup.
Notice the nice little set of counters on everything. They can help you in finding out what is happening in the firewall part of the network stack.

In addition, there are rules that only count matching packets and rules that only log matching packets.

Due to the need to support user comments and Model/Firmware related iptables-save reports ;
The BBB (Block Big Brother) section of this post has been moved to a thread of its own, see: https://www.mobileread.com/forums/sho...d.php?t=205224

[knc1]

The BBB work-around now has a thread of its own: https://www.mobileread.com/forums/sho...d.php?t=205224

After long conversations with the "Button Man" (twobob) - - -

I have decided to end this tutorial on managing the Kindle firewall with the (manual) addition of the "Big Brother Blocker" rules.

The file system structure will probably not make any sense in terms of just one OUTPUT chain fragment (BBB) but it will reflect that of the upcoming "kWall" application.

[knc1]

OK world, your Kpw can now be equipped with a "Big Brother Block".

Until certain technical difficulties are overcome by twobob and myself, you have to "do it by hand" as shown above.

[twobob]

Excellent thread. Will dig through this again and again no doubt. Thanks!