Hi,
Nokia's Internet tablets are pretty secure out of the box, ports are well closed, but a small firewall never hurts. Alas, I have not found one (so far). So here is a small hack:

open an editor and create a file with this inside:

#!/bin/sh
iptables -F
iptables -A INPUT -p all -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

save it, and make it executable (chmod +x). Then, run it as root.

You will have a very basic, but solid, firewall.

HTH,

VS

Thanks for the tip.

you are welcome. BTW there are far more advanced iptables scripts out there, but this one being super-easy and short I thought I would share it.
on the down side, this does requier some prospective newbie to install Xterm, get a root account, etc.
I wonder if somebody would write a mini-applet and turn this into a mini-firewall package for the N770/N800
Any ideas?
Kind regards,
VS

Thanks, great tip! I'd offer the following change for those who want remote SSH access to their Nokia from anywhere - and if I typed something wrong, please correct me - I'm no iptables guru, but it seems to work here!


#!/bin/sh
iptables -F
iptables -A INPUT -p all -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

Any chance of some one getting a version of iptables with logging working?

Would this have to be rerun after a reboot? If so, it could be slapped as is into an rc file like /etc/init.d/firewall & linked to /etc/rc0.d/S40firewall (for example).

Yes it would have to be rerun after a reboot. An yer linking it in that way should work

why not just vi /etc/sysconfig/iptables?

I know nothing about iptables, but wouldn't it be "proper" to issue the above commands in the shell to set up the firewall, then use something like 'iptables-save > /etc/iptables.conf' & then just have the rc script call 'iptables-restore < /etc/iptables.conf'? Or am I making things too complicated, as usual? :rolleyes:

Damn, I thought we'd discuss firewall appliances :)

I know nothing about iptables, but wouldn't it be "proper" to issue the above commands in the shell to set up the firewall, then use something like 'iptables-save > /etc/iptables.conf' & then just have the rc script call 'iptables-restore < /etc/iptables.conf'? Or am I making things too complicated, as usual? :rolleyes:That is the easy and proper way. Put these commands in rc scripts and you're done.

So, issue these commands as root:

iptables -F # Clears INPUT, OUTPUT, FORWARD rules
iptables -P INPUT DROP # Change INPUT policy to DROP
iptables -A INPUT -p all -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

To save current firewall rules (before reboot):

iptables-save >/etc/iptables.conf

To restore previously last firewall rules (during boot or right after boot)

iptables-restore </etc/iptables.conf

NOTE you should accept traffic to/from local loopback device instead of 127.0.0.1. You should deny traffic from 127.0.0.1 on network because this can only be spoofed traffic. However, I'm no IPT wizard; I prefer OpenBSD PF.

Keep in mind legit network services such as DHCP traffic and Avahi...

why not just vi /etc/sysconfig/iptables?

[1|root@minidemon|~]ls /etc/sysconfig/iptables
ls: /etc/sysconfig/iptables: No such file or directory

[1|root@minidemon|~]ls /etc/sysconfig/iptables
ls: /etc/sysconfig/iptables: No such file or directory

Forget about that. /etc/sysconfig is RedHat-specific. Might also be used on RedHat-based or RedHat-related OSes.

right, i keep forgetting that debian doesnt follow the (same) standards that red-hat/fedora do.

what does this return:
ls -l `which iptables`

They're not standards ;)

/sbin/iptables on Maemo/Debian/Ubuntu.

Thanks, great tip! I'd offer the following change for those who want remote SSH access to their Nokia from anywhere - and if I typed something wrong, please correct me - I'm no iptables guru, but it seems to work here!


#!/bin/sh
iptables -F
iptables -A INPUT -p all -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

NOTE you should accept traffic to/from local loopback device instead of 127.0.0.1. You should deny traffic from 127.0.0.1 on network because this can only be spoofed traffic. However, I'm no IPT wizard; I prefer OpenBSD PF.
Just want to put it all together & try to figure out a problem. First off, is this modification correct based on the above?

#!/bin/sh
iptables -F
iptables -A INPUT -p all -s loopback -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
Secondly, why would either of the above forms kill this port forwarding I use to give the remote site access to my IT from behind a NAT router?
ssh -R 9999:localhost:22 -l remuser -p remport -N remote.site.com
As I understand, port 9999 is just the remote site's access port directed to port 22 on the IT. Unless the port 22 ACCEPT line in the rules is incorrect, but I have no other way to test right now. TX

no, it should be
iptables -A INPUT -p all -s lo -j ACCEPT
since ifconfig uses the lo convention, not loopback for the name of that interface.

as far as the reverse port forwarding you do with ssh, i dont think that would be killed via iptables, because the traffic would be tunneled through ssh, not be a seperate connection. you would have to be listening for ssh on all interfaces too, not just the wlan0 interface.

you sshd_config should have the following directive:
ListenAddress 0.0.0.0

no, it should be
iptables -A INPUT -p all -s lo -j ACCEPT
since ifconfig uses the lo convention, not loopback for the name of that interface.
Strange, 'cause even though ifconfig shows lo active (as it should be), iptables gives 'host/network `lo' not found'.

as far as the reverse port forwarding you do with ssh, i dont think that would be killed via iptables, because the traffic would be tunneled through ssh, not be a seperate connection. you would have to be listening for ssh on all interfaces too, not just the wlan0 interface.

you sshd_config should have the following directive:
ListenAddress 0.0.0.0
The line is there but commented out. Funny thing is that it seems to be working now. Must've been something else that killed my connection before.

TX

sorry, change the

-s lo

to

-i lo

because lo is an interface, not really a source.

since the ListenAddress is commented out with 0.0.0.0 as a value, that means its the default, and therefore the daemon listens on all interfaces.

netstat -na |grep 22
should confirm

since the ListenAddress is commented out with 0.0.0.0 as a value, that means its the default, and therefore the daemon listens on all interfaces.

netstat -na |grep 22
should confirm
That it does. Thanks

~/bin$ netstat -an | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:61466 127.0.0.1:22 ESTABLISHED
tcp 0 0 127.0.0.1:22 127.0.0.1:61466 ESTABLISHED

GROG, why don't you simply change IPTables default policy INPUT to DROP and then add what you wish to allow?

If you're interested in INPUT with netstat you use the -l flag in netstat to list those sockets which listen. Normally you also have -p flag which shows application which listens (very useful) but this version of netstat doesn't allow this. So ie. $ netstat -lan |more