Thursday, February 03, 2011

firewall on N900

Grr my first post of this year and I plan to start "I confess: I am a paranoid". what the heck, lets go with it:

I confess, I am a paranoid. I carry around my N900 all the time and thanks to my job, I end up in different continents at times. with my primary SIM connection, international data network tends to around 15$/MB which I don't really feel like paying, so I either choose a local SIM (If I am around for that long that deserves it) OR more likely to use WLAN in the hotel or guest network I am allowed on. I don't like wlan network in general other than the one I personally setup. and hence dont like the thought that my phone's network services are open for all on wlan0 device :(. This triggered my search for something quick and simple firewall. I think of it more or less as a basic password I'd setup on my laptop of a phone unlock code or lock my car when I step out of it - it can be counteracted, but what the heck, some one has to see it worthwhile the effort to do it (and I don't personally think I am worth that effort ;) ). Anyways, back to code..

Maemo wiki(search for the word firewall) unfortunately tells me dubious statement "Maybe not". on a phone data network, I am reasonably sure that the 3G provider really does'nt want to pay for people running nmap on other people's phone - I guess they are pretty serious about it, but unfortunately most wifis contain machines which are already compromised - the users really dont control their PCs anymore.. and my poor phone has to share the world with them as well.. (Disclaimer: I did say I am a paranoid, ok maybe a little bit paranoid).

Since even "ET call home" does'nt really need my phone to run Apache server or an SMTP server, I dont need a complicated firewall setting. I needed something as simple as gufw
yes OR no.

Since I am never the first to look for something, bit of googling later, found this
few customizations for this script I setup the following with the N900 power kernel:
Note: for what ever reasons, N900 default kernel on PR1.3 does'nt come with these modules in /lib/modules/`uname -a` :(

~/bin/fire:

#!/bin/bash

set -x

# Load needed kernel modules

modprobe ipt_MASQUERADE
modprobe ipt_NETMAP
modprobe ipt_REDIRECT
modprobe ip_tables
modprobe ipt_REJECT
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat


# Clear any existing firewall stuff before we start
# TODO: really not secure thingy- might wanna do REJECT rules before this..
iptables --flush

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device
iptables -A INPUT -i lo -j ACCEPT

# Related and established connections: see
# http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
#
# Accept all incoming traffic associated with an established
# connection, or a "related" connection
#
# This will automatically handle incoming UDP traffic associated with
# DNS queries, as well as PASSIVE mode FTP (provided the
# ip_conntrack_ftp module is loaded)

iptables -A INPUT -i phonet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i wmaster0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow connections on selected ports to the firewalled computer:

# Logging: first, eliminate any packets that are going to broadcast
# addresses, since they will overwhelm the log files if there are any
# windows computers on our network. Also, don't log pesky multicast
# packets that we block.

iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP

# Log all other blocked packets, and change DROP to REJECT to be
# polite and allow people connecting to a blocked port to receive a
# "connection refused" message instead of timing out after 30 seconds.

#iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT



And the reverse: ~/bin/nofire

#!/bin/bash
set -x

# Clear any existing firewall stuff before we start

iptables --flush

# A dumb set of steps - just being explicit here..
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT


I then added desktop command execution widget to basically use call firewall ON and OFF with a dumb command of /bin/bash -c "/usr/bin/rootsh /home/user/bin/fire" for firewall on and /bin/bash -c "/usr/bin/rootsh /home/user/bin/nofire" for no firewall - activated only if I click on it.

Anyways, as usual, lazy halfbaked though it is, just sharing the goodies - do feel free to improve it and post your own or maybe some real security expert can post a better set of scripts here..

Ofcourse, the only pet peeve I have is this - I, for some reason cannot use my camera with power kernel. mebbe some day will have time to look at all things I want..

[Late realization of searching for N900 ufw on google gave me this]

No comments: