asked 2014-01-06 14:14:20 +0300
I'm trying to setup firewall on Jolla to prevent remote access. I've manage to setup most of it, but I don't know how to make it persistent.
So what would be an appropriate place to setup firewall on Jolla?
answered 2014-03-31 20:02:16 +0300
I've just set up a solution which uses systemd
Put this into /etc/systemd/system/iptables.service:
[Unit]
Description=IPv4 firewall with iptables
ConditionPathExists=/etc/sysconfig/iptables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/systemd-iptables start
[Install]
WantedBy=basic.target
Add this to /usr/local/sbin/systemd-iptables
#!/bin/sh
case $1 in
start)
/sbin/iptables-restore < /etc/sysconfig/iptables
;;
save)
/sbin/iptables-save > /etc/sysconfig/iptables
;;
*)
echo "Unkown action '$1'"
;;
esac
and make it executable (chmod 755 /usr/local/sbin/systemd-iptables)
Then add your iptables rules however you like, then do:
[root@localhost ~]# /usr/local/sbin/systemd-iptables save
Now you can use systemctl to enable this iptables.service at boot.
I've dumped my iptables rules here: http://pastebin.com/EwTQpuf6 ... Feel free to comment and adopt. Works with the built-in tethering, and provides SSH access from WLAN and USB developer mode.
dazo ( 2014-05-02 15:16:26 +0300 )edit@dazo - thanks, I reused the tethering forward rules, and added some rate limiting for the LOG rules:
-A FORWARD -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "Firewall [FWD:DROP] "
Tried in vain to add rate limiting for inbound connections as in:
:SSHBRUTE - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBRUTE
-A SSHBRUTE -m recent --set --name SSH --rsource
-A SSHBRUTE -m recent --update --seconds 120 --hitcount 8 --name SSH --rsource -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "SSHBRUTE: "
-A SSHBRUTE -m recent --update --seconds 120 --hitcount 8 --name SSH --rsource -j DROP
-A SSHBRUTE -j ACCEPT
Even tried to collapse the rules, avoiding new chains but that failed to commit on restore too.
nik ( 2015-02-27 12:22:46 +0300 )edit@dazo while this works how do you define your iptables? every app and every service on your phone would then need to be added? what would be the difference between android apps and sailfish apps?
Whats the easiest way to figure out which apps and services use what IP qnd how can you record them using sailfish?
DarkTuring ( 2016-11-10 04:34:34 +0300 )editanswered 2014-01-06 18:59:52 +0300
Never mind. I managed to move around it. Not ideal, but it seems that "/etc/profile.d" can be used for startup scripts which run before unlocking the device.
Here is my firewall setup ("/etc/profile.d/setup-iptables.sh"):
if shopt -q login_shell; then
echo "skipping iptables"
else
myTrustedPC=192.168.1.106
# allow all for loopback
iptables -A INPUT -i lo -j ACCEPT
# ACCEPT by default (should be default already)
# iptables -P INPUT ACCEPT
# allow SSH connection on trusted only
iptables -A INPUT -p tcp -s $myTrustedPC --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
# allow ADB connection on trusted only
iptables -A INPUT -p tcp -s $myTrustedPC --dport 5555 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 5555 -j DROP
fi
You might want to change at least "myTrustedPC" ;-). I've tried iptables -P INPUT DROP, but Android applications seem to use some weird ports even for HTTP and I was unable to find iptables logs so I've gave up.
In case you're wondering - saving and restoring rules works on Jolla (save state: iptables-save > /etc/sysconfig/iptables.rules and then just use this in setup script: iptables-restore < /etc/sysconfig/iptables.rules).
@Nux As sailfish uses systemd it should not be a big deal to create your own service to load iptables on boot. You can use your favorite linux distro scripts as a base for such solution. Such solution will be much cleaner then /etc/profile.d which should be used during every login of any user. So with script in profile.d you reconfigure (or at least try to reconfigure) your firewall with every login to your device i.e. by ssh.
strnous ( 2014-01-09 00:04:58 +0300 )editAsked: 2014-01-06 14:14:20 +0300
Seen: 7,461 times
Last updated: Mar 31 '14