+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: PinePhone Software (https://forum.pine64.org/forumdisplay.php?fid=121)
+---- Forum: PostmarketOS on PinePhone (https://forum.pine64.org/forumdisplay.php?fid=124)
+---- Thread: Any recipes for IPTABLES? (/showthread.php?tid=11351)
Any recipes for IPTABLES? - vidarr - 09-08-2020
I noticed there did not appear to be a default iptables configuration nor any firewall configuration applet (like Mint) on the PostmarketOS load...
So, as I haven't hand jammed policies in years, anyone have a recipe built to leverage iptables (which is installed, just doesn't have any rules configured) to protect the phone? I haven't tested with my regular SIM card from my Android phone yet, just WiFi testing so far...but when I go on the vendor's network, that's more or less like being naked online without something to protect me.
Not criticizing. I know the devs are furiously working on the phone features as we post...just curious.
RE: Any recipes for IPTABLES? - User 18618 - 09-10-2020
ufw is a wrapper for iptables/nftables. By default, it drops all incoming connections and allows all outgoing connections.
RE: Any recipes for IPTABLES? - vidarr - 09-10-2020
(09-10-2020, 03:40 AM)jed Wrote: ufw is a wrapper for iptables/nftables. By default, it drops all incoming connections and allows all outgoing connections.
Thanks!
I'll check it out.
RE: Any recipes for IPTABLES? - vidarr - 09-10-2020
(09-10-2020, 03:40 AM)jed Wrote: ufw is a wrapper for iptables/nftables. By default, it drops all incoming connections and allows all outgoing connections.
Hmmm...I tried
$ sudo apk add ufw
I got "ERROR: unsatisfiable constraints:
ufw (missing):
required by: world[ufw]"
I guess the PostMarketOS repository doesn't have ufw yet.
RE: Any recipes for IPTABLES? - User 18618 - 09-11-2020
Sorry, I should've checked that
Alpine Linux features repository pinning, ala Debian. Try the instructions featured in the Wiki page (if pmOS allows this):
Code:
apk add ip6tables ufw@testingRE: Any recipes for IPTABLES? - vidarr - 09-11-2020
(09-11-2020, 08:48 AM)jed Wrote: Sorry, I should've checked that
Alpine Linux features repository pinning, ala Debian. Try the instructions featured in the Wiki page (if pmOS allows this):
Code:apk add ip6tables ufw@testing
No worries amigo. But, I'm wondering just how much Alpine is gutted from PostmarketOS...
Code:
pine64-pinephone:~$ sudo apk add ip6tables ufw@testing
[sudo] password for xxx:
fetch http://postmarketos1.brixit.nl/postmarketos/v20.05/aarch64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/aarch64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/aarch64/APKINDEX.tar.gz
WARNING: The repository tag for world dependency 'ufw@testing' does not exist
ERROR: Not committing changes due to missing repository tags. Use --force-broken-world to override.RE: Any recipes for IPTABLES? - User 18618 - 09-12-2020
Did you first append @testing to /etc/apk/repositories?
RE: Any recipes for IPTABLES? - vidarr - 09-13-2020
(09-12-2020, 07:46 AM)jed Wrote: Did you first append @testing to /etc/apk/repositories?
I did. I'll hold off then, to try a newer version of PostMarketOS. I decided to dabble with Mobian on another SD card...it's not perfect, but it seems a little further along than whatever else I've tried.
But, I think PostmarketOS has potential.
Thanks for the help.
RE: Any recipes for IPTABLES? - User 18618 - 09-14-2020
Worth a try. Debian does have ufw.
Here's a real script I've written as an example. It's designed to be used in conjunction with the older version of this Raspberry Pi guide, where the Pi is used as a Wireless Access Point (and a web server).
Inbound and outbound traffic is restricted as much as possible. I hope this helps as a visual to what can be achieved with ufw and iptables.
Quote:#! /usr/bin/env dash -e
# Allow DHCP leasing (for eth0 and wlan0)
ufw allow in to any port 67 # DHCP (server)
ufw allow out to any port 68 # DHCP (client)
# Allow connections to destination ports (for local network addresses)
ufw allow in on eth0 from 192.168.0.0/16 to any port 80 # HTTP (to local webserver)
# Allow connections to destination ports (for local network addresses)
ufw allow in on eth0 from 192.168.0.0/16 to any port 80 # HTTP (to local webserver)
ufw allow out from 192.168.0.0/16 to any port 53 # DNS
ufw allow out from 192.168.0.0/16 to any port 123 # NTP
ufw allow out from 192.168.0.0/16 to any port 443 # HTTPS
# Allow connections to destination ports (for wlan0 DHCP addresses)
ufw allow in on wlan0 from 192.168.4.0/28 to any port 53 # DNS (query the local DNS server)
# Forward internet-facing incoming wlan0 connections to eth0 outgoing
ufw route allow in on wlan0 from 192.168.4.0/28 to any port 80 out on eth0 # HTTP
ufw route allow in on wlan0 from 192.168.4.0/28 to any port 443 out on eth0 # HTTPS
RE: Any recipes for IPTABLES? - thatrandomguy - 10-16-2020
Hello,
I was able to install ufw on pmOS after some digging... since pmOS is based on Alpine, I used Alpine's docs to get it installed:
https://wiki.alpinelinux.org/wiki/Uncomplicated_Firewall
For some reason ufw is no longer in testing and checking Alpine's own package lookup, you will now find this in edge.
The correct command to get this on pmOS is as follows:
Code:
apk add ufw --update-cache --repository http://nl.alpinelinux.org/alpine/edge/community --allow-untrusted#Note: you gonna need sudo for this obviously....
#Also... this is a kind of cheat to get ufw installed without adding the repo for edge. It's a one time thing. See the docs for a better explanation.
Since pmOS uses openrc, you can add ufw to the startup via rc-update command but I don't recommend that for one reason.... ufw has broken pmOS net connectivity.
I have tested with adding necessary rules to allow the usual traffic for ssh, dns, etc. ufw fails with the following:
Quote:hostname:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/5.7.0
modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/5.7.0
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/5.7.0
iptables-restore v1.8.4 (legacy): Couldn't load match `limit':No such file or directory
Error occurred at line: 63
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.4 (legacy): Couldn't load match `limit':No such file or directory
Error occurred at line: 29
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Problem loading ipv6 (skipping)
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/user.rules'
Since ufw is found in edge and not the main repo.... this is expected behavior to me. This obviously hasn't been tested enough to the point where it's guaranteed to work on Alpine. I honestly don't know what's up or how to get it working but I'll keep trying. I'm getting the feeling though that eventually I'll wind up flashing Mobian on my PinePhone as well... not what I was aiming to do but I also think shipping something that's potentially going to be used in public with public networks... is not very wise without a legitimate firewall in place. Granted Linux works the way it does, the assumption that people won't put stupid stuff on their phone is often misguided.... which leads to people opening up their phone to higher risk. I know people might complain that ufw takes improper assumptions as well that maybe mimic what Windows does (or is it Ubuntu?)... but c'mon guys. Basic network security is deny by default and allow by exception. Everyone in the field knows this.... personally, I'd rather have something hardened by default and prevents me from adding in something I'm not 100% sure on what it is I'm adding than letting everything run free willy. Arguably, my whole motivation for even getting a Linux phone in the first place was to guarantee that I could harden it to what was deemed necessary. There's nothing stopping me from just sticking to iptables but I use a flavor of Ubuntu on my older laptop and utilize ufw on there.... I thought I would be able to here as well but here we are.