| #!/system/bin/sh |
| |
| #### DESCRIPTION #### |
| # This script sets up any static iptables rules required for the Wrigley. For |
| # this to work, we require hooks in system/netd/ to jump to a special "oem" |
| # chain for any tables/chains we want to modify. |
| |
| # NOTE: This script is called every time the netd service is started. To |
| # handle the case where netd has crashed/stopped and is restarted, attempt to |
| # flush any chains we create before adding to them; this will avoid duplicate |
| # rules. We don't attempt to delete our additions to the base "hook" chains, |
| # because that's netd's job. So, for each sub-chain we create in here, we do |
| # -N (new) to handle the case where we've never been called before, and we do |
| # -F (flush) to handle the case where we have been called before. Both no-op |
| # gracefully. |
| |
| # NOTE: The firewalling rules done in here for protecting specific ports from |
| # unauthorized access are necessary for security, but should be replaced by a |
| # connection-based authentication scheme instead. By using iptables, we are |
| # creating compatibility issues with Google's Ice Cream Sandwich, and are |
| # adding unnecessary latency to all packets that go through Netfilter. If it |
| # were not for the current implementation, we would only need a hook in the |
| # nat/PREROUTING chain, and the hooks in filter/OUTPUT & filter/FORWARD could |
| # go away. |
| # TODO: Implement a connection-based auth scheme for Wrigley control and |
| # TODO: diagnostics ports. |
| |
| # NOTE: Our usage of the static 192.168.20.0/24 for the Wrigley IP address can |
| # cause conflicts with DHCP-assigned WiFi addresses. When coupled with the |
| # firewall below, this ensures that WiFi will not work if we get assigned an |
| # address in that range. |
| # TODO: Find a way to blacklist the range above in the WiFi driver, so that we |
| # TODO: reject attempts from a WiFi AP to assign anything in that range to us. |
| |
| IPTABLES="/system/bin/iptables" |
| |
| #### filter OUTPUT #### |
| # Setup an explicit sub-chain for 192.168.20.2. This way we only burden all |
| # other packets with a single check for the IP address. |
| $IPTABLES -F oem_out_wrigley # No-op on 1st inst of this script |
| $IPTABLES -N oem_out_wrigley # No-op on 2nd-Nth inst of this script |
| $IPTABLES -A oem_out -d 192.168.20.2 -j oem_out_wrigley |
| |
| # Setup diff rules for sensitive ports vs other ports. There are more |
| # non-sensitive than sensitive ports, and the non-sensitive list is fairly |
| # dynamic. So, do a blacklist instead of a whitelist. |
| $IPTABLES -F oem_out_wrigley_sens # No-op on 1st inst of this script |
| $IPTABLES -F oem_out_wrigley_other # No-op on 1st inst of this script |
| $IPTABLES -N oem_out_wrigley_sens # No-op on 2nd-Nth inst of this script |
| $IPTABLES -N oem_out_wrigley_other # No-op on 2nd-Nth inst of this script |
| $IPTABLES -A oem_out_wrigley -p tcp --dport 3265 -j oem_out_wrigley_sens |
| $IPTABLES -A oem_out_wrigley -p tcp --dport 3267 -j oem_out_wrigley_sens |
| $IPTABLES -A oem_out_wrigley -p tcp --dport 11000 -j oem_out_wrigley_sens |
| $IPTABLES -A oem_out_wrigley -j oem_out_wrigley_other |
| |
| # Sensitive ports only allow root and radio to access them. |
| $IPTABLES -A oem_out_wrigley_sens -m owner --uid-owner 0 -j ACCEPT |
| $IPTABLES -A oem_out_wrigley_sens -m owner --uid-owner 1001 -j ACCEPT |
| $IPTABLES -A oem_out_wrigley_sens -j REJECT |
| |
| # Other ports allow root, radio, and shell to access them. |
| $IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 0 -j ACCEPT |
| $IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 1001 -j ACCEPT |
| $IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 2000 -j ACCEPT |
| $IPTABLES -A oem_out_wrigley_other -j REJECT |
| |
| #### filter FORWARD #### |
| # We only want forwarding in BP Tools Mode. |
| case $(getprop ro.bootmode) in |
| bp-tools) |
| # Only allow forwarding on non-sensitive ports. There are more |
| # non-sensitive than sensitive ports, and the non-sensitive list is fairly |
| # dynamic. So, do a blacklist instead of a whitelist. |
| $IPTABLES -F oem_fwd_wrigley # No-op on 1st inst of this script |
| $IPTABLES -N oem_fwd_wrigley # No-op on 2nd-Nth inst of this script |
| $IPTABLES -A oem_fwd -d 192.168.20.2 -j oem_fwd_wrigley |
| $IPTABLES -A oem_fwd -s 192.168.20.2 -j oem_fwd_wrigley |
| $IPTABLES -A oem_fwd_wrigley -p tcp --dport 3265 -j REJECT |
| $IPTABLES -A oem_fwd_wrigley -p tcp --dport 3267 -j REJECT |
| $IPTABLES -A oem_fwd_wrigley -p tcp --dport 11000 -j REJECT |
| $IPTABLES -A oem_fwd_wrigley -j ACCEPT |
| ;; |
| *) |
| $IPTABLES -A oem_fwd -d 192.168.20.2 -j REJECT |
| ;; |
| esac |
| |
| #### nat PREROUTING #### |
| case $(getprop ro.bootmode) in |
| bp-tools) |
| # We must rewrite the destination address for our SUAPI logger port to the |
| # address of the BLAN, because legacy tools (RTA/PST) rely on this. |
| $IPTABLES -t nat -A oem_nat_pre -p tcp -d 192.168.16.2 --dport 11006 -j DNAT --to 192.168.20.2:11006 |
| ;; |
| esac |