We have moved to a new Sailfish OS Forum. Please start new discussions there.
13

How to setup firewall / iptables / init scripts?

asked 2014-01-06 14:14:20 +0300

Nux gravatar image

I'm trying to setup firewall on Jolla to prevent remote access. I've manage to setup most of it, but I don't know how to make it persistent.

  1. /etc/sysconfig/iptables is not loaded automatically.
  2. /etc/network/interfaces (where I could add loading of tables) is not available.
  3. /etc/rc.local is also not available

So what would be an appropriate place to setup firewall on Jolla?

edit retag flag offensive close delete

2 Answers

Sort by » oldest newest most voted
16

answered 2014-03-31 20:02:16 +0300

dazo gravatar image

updated 2014-03-31 20:03:12 +0300

I've just set up a solution which uses systemd

Put this into /etc/systemd/system/iptables.service:

 [Unit]
 Description=IPv4 firewall with iptables
 ConditionPathExists=/etc/sysconfig/iptables

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/local/sbin/systemd-iptables start

 [Install]
 WantedBy=basic.target

Add this to /usr/local/sbin/systemd-iptables

 #!/bin/sh

 case $1 in
    start)
        /sbin/iptables-restore < /etc/sysconfig/iptables
        ;;
    save)
        /sbin/iptables-save > /etc/sysconfig/iptables
        ;;
    *)
        echo "Unkown action '$1'"
        ;;
 esac

and make it executable (chmod 755 /usr/local/sbin/systemd-iptables)

Then add your iptables rules however you like, then do:

 [root@localhost ~]# /usr/local/sbin/systemd-iptables save

Now you can use systemctl to enable this iptables.service at boot.

edit flag offensive delete publish link more

Comments

1

It might be you need to call this line to make systemd aware if your new iptables unit file:

[root@Jolla ~]# systemctl --system daemon-reload
dazo ( 2014-04-11 23:14:47 +0300 )edit
2

I've dumped my iptables rules here: http://pastebin.com/EwTQpuf6 ... Feel free to comment and adopt. Works with the built-in tethering, and provides SSH access from WLAN and USB developer mode.

dazo ( 2014-05-02 15:16:26 +0300 )edit
1

i don't really know why but for me it's only working like this:

[Service]  
WorkingDirectory=/usr/local/sbin/
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh systemd-iptables start
theowb ( 2014-05-04 20:40:26 +0300 )edit

@dazo - thanks, I reused the tethering forward rules, and added some rate limiting for the LOG rules:

-A FORWARD -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "Firewall [FWD:DROP] "

Tried in vain to add rate limiting for inbound connections as in:

:SSHBRUTE - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBRUTE
-A SSHBRUTE -m recent --set --name SSH --rsource
-A SSHBRUTE -m recent --update --seconds 120 --hitcount 8 --name SSH --rsource -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "SSHBRUTE: "
-A SSHBRUTE -m recent --update --seconds 120 --hitcount 8 --name SSH --rsource -j DROP
-A SSHBRUTE -j ACCEPT

Even tried to collapse the rules, avoiding new chains but that failed to commit on restore too.

nik ( 2015-02-27 12:22:46 +0300 )edit

@dazo while this works how do you define your iptables? every app and every service on your phone would then need to be added? what would be the difference between android apps and sailfish apps?

Whats the easiest way to figure out which apps and services use what IP qnd how can you record them using sailfish?

DarkTuring ( 2016-11-10 04:34:34 +0300 )edit
-1

answered 2014-01-06 18:59:52 +0300

Nux gravatar image

updated 2014-01-06 19:00:24 +0300

Never mind. I managed to move around it. Not ideal, but it seems that "/etc/profile.d" can be used for startup scripts which run before unlocking the device.

Here is my firewall setup ("/etc/profile.d/setup-iptables.sh"):

if shopt -q login_shell; then
    echo "skipping iptables"
else
    myTrustedPC=192.168.1.106

    # allow all for loopback
    iptables -A INPUT -i lo -j ACCEPT

    # ACCEPT by default (should be default already)
    # iptables -P INPUT ACCEPT

    # allow SSH connection on trusted only
    iptables -A INPUT -p tcp -s $myTrustedPC --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j DROP

    # allow ADB connection on trusted only
    iptables -A INPUT -p tcp -s $myTrustedPC --dport 5555 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 5555 -j DROP
fi

You might want to change at least "myTrustedPC" ;-). I've tried iptables -P INPUT DROP, but Android applications seem to use some weird ports even for HTTP and I was unable to find iptables logs so I've gave up.

In case you're wondering - saving and restoring rules works on Jolla (save state: iptables-save > /etc/sysconfig/iptables.rules and then just use this in setup script: iptables-restore < /etc/sysconfig/iptables.rules).

edit flag offensive delete publish link more

Comments

2

@Nux As sailfish uses systemd it should not be a big deal to create your own service to load iptables on boot. You can use your favorite linux distro scripts as a base for such solution. Such solution will be much cleaner then /etc/profile.d which should be used during every login of any user. So with script in profile.d you reconfigure (or at least try to reconfigure) your firewall with every login to your device i.e. by ssh.

strnous ( 2014-01-09 00:04:58 +0300 )edit

The if skips iptables setup when console is detected. So it works fine, but your right - systemd one-shot would be a more elegant solution.

Nux ( 2014-01-14 10:22:50 +0300 )edit

I just gave it a down-vote, as I don't think it's appropriate to (ab)use /etc/profile.d for such things.

dazo ( 2014-03-31 19:58:00 +0300 )edit
Login/Signup to Answer

Question tools

Follow
15 followers

Stats

Asked: 2014-01-06 14:14:20 +0300

Seen: 7,506 times

Last updated: Mar 31 '14