02-06-2013, 12:30 PM | #1 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Managing the Kindle firewall
This thread is a continuation of the Kindle basics of ssh/scp thread at:
https://www.mobileread.com/forums/sho...d.php?t=204942 This thread is also based on materials in the following threads:
Reference: The *nix command crib-sheet linked to from this thread: https://www.mobileread.com/forums/sho...d.php?t=204534 NOTE: The version of those commands provided by Busybox on the Kindle usually only have a limited sub-set of the command features described in the crib-sheet. Conditions: In the prior thread on the basics of ssh/scp on the Kindle, you learned how to remove the banner and do remote exectuted programs via ssh. In the prior thread on the Linux firewall tables, you found there are no restrictions on the USB0 interface. Your also read about the restrictions present on packets originating on the wlan0 (and 3G) interfaces. You made note of the sequence required to start/stop USBnetwork, from the spoiler in the USBnetworking thread, which is repeated in the spoiler here: Spoiler:
You may or may not have configured your network automation to automatically bring up the link and set the point-to-point address that you are using on your host PC. There are a number of network automation things used by the various Linux distributions, refer to your distribution information on how to set up yours (not here, your distro's help forum). Windows and MacOSx also have provisions for automating the host connection setup. Crank-up your USB networked Kindle (a Kpw-5.3.3 used here) and be sure things are still working the way we left them (connection details by nickname, no banner from dropbear): Code:
core2quad ~ $ ssh kpw ################################################# # N O T I C E * N O T I C E * N O T I C E # ################################################# Rootfs is mounted read-only. Invoke mntroot rw to switch back to a writable rootfs. ################################################# [root@kindle root]# You can leave that connection up for your own exploring during the rest of this post. The first thing we discover is that iptables can not be run remotely because of a "not found" condition. The PATH=$PATH work-around: Spoiler:
Get a current listing of how the three primary chains in the filter table are currently setup: Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables -vnL" Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- ppp0 any anywhere anywhere tcp dpt:40317 0 0 ACCEPT tcp -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- wlan0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT udp -- wlan0 any anywhere anywhere state ESTABLISHED 0 0 ACCEPT udp -- ppp0 any anywhere anywhere state ESTABLISHED 0 0 ACCEPT udp -- ppp0 any anywhere anywhere udp spt:40317 0 0 ACCEPT udp -- ppp0 any anywhere anywhere udp spt:49317 0 0 ACCEPT udp -- ppp0 any anywhere anywhere udp spt:33434 5696 32M ACCEPT all -- lo any localhost.localdomain anywhere 10795 832K ACCEPT all -- usb0 any anywhere anywhere 0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7717 packets, 1300K bytes) pkts bytes target prot opt in out source destination 5696 32M ACCEPT all -- any lo anywhere localhost.localdomain core2quad ~ $ Now lets compare that with the stored system configuration file supplied by lab126 (on Kpw-5.3.3): Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; cat /etc/sysconfig/iptables" *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # TCP handling. Allow incoming TCP TPH on WAN -A INPUT -i ppp0 -p tcp -m tcp --dport 40317 -j ACCEPT -A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT # UDP Handling. Only allow device initiated connections. -A INPUT -i wlan0 -p udp -m state --state ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p udp -m state --state ESTABLISHED -j ACCEPT # ALLOW UDP PINs ports for TPHv3.0 -A INPUT -i ppp0 -p udp --sport 40317 -j ACCEPT -A INPUT -i ppp0 -p udp --sport 49317 -j ACCEPT -A INPUT -i ppp0 -p udp --sport 33434 -j ACCEPT # Loopback. All traffic allowed. -A INPUT -i lo -s 127.0.0.1 -j ACCEPT -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT # Usbnet. All traffic allowed. -A INPUT -i usb0 -j ACCEPT # ICMP. Allow only responses to local connections -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT core2quad ~ $ Code:
core2quad ~ $ ssh kpw "PATH=$PATH ; iptables-save" # Generated by iptables-save v1.3.8 on Wed Feb 6 13:21:59 2013 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [7981:1338955] -A INPUT -i ppp0 -p tcp -m tcp --dport 40317 -j ACCEPT -A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i wlan0 -p udp -m state --state ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p udp -m state --state ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --sport 40317 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --sport 49317 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --sport 33434 -j ACCEPT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -i usb0 -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT COMMIT # Completed on Wed Feb 6 13:21:59 2013 This output would include the secondary and user-defined chains if they where in use. There is a corresponding iptables-restore utility. The one shipped with the version 5.3.3 firmware is terribly broken. Earlier Kindle firmwares are probably as bad or worse. You can see that one possible work-flow in defining a custom firewall is to build it up one rule, one chain at a time; test until tired; save it in a file; edit in comments of why you did what you did (which looks like how lab126 did it). The three kernel network control bits of most interest here are: Code:
# Packet forwarding : 0 == Disable, 1 == Enable core2quad ~ $ ssh kpw "cat /proc/sys/net/ipv4/ip_forward" 0 # IPv4 dynamic address rewrite : 0 == Disable, 1 == Enable, 2 == Enable&Log core2quad ~ $ ssh kpw "cat /proc/sys/net/ipv4/ip_dynaddr" 0 # Make multiple, physical paths work as one logical network # 0 == Disable, 1 == Enable core2quad ~ $ ssh kpw "cat /proc/sys/net/ipv4/conf/all/proxy_arp" 0 The Kindle kernel firewall **as shipped** is intended to keep out everything except Amazon by wireless (Wifi & 3G) and allow the owner in, only if directly wired to the Kindle by the USB cable. None of the other common IPv4 things are supported, nor is IPv6. By default, the iptables list function only lists the three chains in the filter table. There are three (or four in new kernels) tables: filter, mangle, nat (and some kernels: raw). There are more chains than what is shown by default, in a quick summary: Mangle
Nat
Filter
Raw <- if your kernel has this one.
Any of which may have user-defined chains added to them. For more than you ever wanted to know on this subject, including a pretty picture of where the packets go, see: http://www.frozentux.net/iptables-tu...ERSINGOFTABLES From the packet flow-chart in the above linked page, it can be seen that if we want to block packets generated by local processes, then the OUTPUT chain of the FILTER table is where we want to put our rules. Thread on the (K3 old and Kpw new) address ranges to block, see: https://www.mobileread.com/forums/sho...d.php?t=200475 Are we still connected? What interfaces are up now and how is our battery condition? Code:
core2quad usb-0.7.N $ ssh kpw "echo -n 'Charge: ' ; gasgauge-info -c ; echo -n 'Load: ' ; gasgauge-info -l" Charge: 98% Load: 185 mA core2quad usb-0.7.N $ ssh kpw "ip -o link | cut -f 2,9 -d ' ' " lo: UNKNOWN usb0: UP Notice the nice little set of counters on everything. They can help you in finding out what is happening in the firewall part of the network stack. In addition, there are rules that only count matching packets and rules that only log matching packets. Due to the need to support user comments and Model/Firmware related iptables-save reports ; The BBB (Block Big Brother) section of this post has been moved to a thread of its own, see: https://www.mobileread.com/forums/sho...d.php?t=205224 Last edited by knc1; 02-08-2013 at 10:24 AM. |
02-07-2013, 08:30 AM | #2 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
The BBB work-around now has a thread of its own: https://www.mobileread.com/forums/sho...d.php?t=205224
After long conversations with the "Button Man" (twobob) - - - I have decided to end this tutorial on managing the Kindle firewall with the (manual) addition of the "Big Brother Blocker" rules. The file system structure will probably not make any sense in terms of just one OUTPUT chain fragment (BBB) but it will reflect that of the upcoming "kWall" application. Last edited by knc1; 02-08-2013 at 10:24 AM. |
02-07-2013, 06:08 PM | #3 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Its soup.
OK world, your Kpw can now be equipped with a "Big Brother Block".
Until certain technical difficulties are overcome by twobob and myself, you have to "do it by hand" as shown above. |
02-07-2013, 06:58 PM | #4 |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Týr
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
Excellent thread. Will dig through this again and again no doubt. Thanks!
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Amazon Kindle Leaps the "Great Firewall of China" | HarryT | News | 14 | 05-30-2011 08:46 AM |
K4PC through a firewall | Norik | General Discussions | 0 | 02-22-2011 04:00 AM |
Troubleshooting Firewall settings for Kindle 3 and Kindle for PC | sirmaru | Amazon Kindle | 0 | 08-29-2010 06:59 PM |
K4 Mac or PC kindle for pc behind firewall | hf79 | Amazon Kindle | 8 | 08-24-2010 09:03 AM |
Firewall Forensics (What am I seeing?) | Colin Dunstan | Lounge | 0 | 06-27-2005 02:23 AM |