Jump to content


Photo

Security - iptables


  • Please log in to reply
9 replies to this topic

#1 daveraver

  • Senior Member
  • 274 posts

+3
Neutral

Posted 29 May 2018 - 09:07

Hi! I've found where security - firewall locate their files on /etc/security, I think so. So, could anybody give me a website where it were explained for our enigma2 box?? On my formuler1 when you install firewall on plugin panel download, it shows dependecies errors, but create the folder 'security' with the access.conf and other files. I would like to read some wiki about firewall and its rules implementation, it would be great. If not, some google search could be useful, but I prefer somewhere recommended by some openpli forum member. I saw inside the files on security folder lots of explanations and config options, I didnt see if it is possible made an only 'hostname' access instead of IP. That's the main key I want to use, close access with only grant acces some hostname.

 

Thanks in advance,

David



Re: Security - iptables #2 WanWizard

  • Forum Moderator
    PLi® Core member
  • 40,301 posts

+627
Excellent

Posted 29 May 2018 - 09:33

The STB is not a security device, I doubt iptables even works.


Many answers to your question can be found in our new and improved wiki.

Currently in active use: HD2400 (4xS2)VU+Duo2 (3xS2)VU+Zero, Edision OS mini+, ET10000 (4xS2)

For testing purposes: XP1000Formuler F1 (2xS2)Miraclebox Premium Micro (S2+C/T),  ET7500 (S2)ET8500 (S2), Zgemma H2.H (S2+C)Zgemma H5.2TC (S2+C/T), SAB TripleAlpha (S2+C/T), Galaxy 4K (FBC), VU Zero 4K, Edision OS nino 


Re: Security - iptables #3 daveraver

  • Senior Member
  • 274 posts

+3
Neutral

Posted 29 May 2018 - 09:39

Then, what is the purpose of the firewall plugin on feeds? Well, I will try it and, if it works, I'll be back here to tell you... I say this because I have a way to run firewall through a script and maybe it will work.


Edited by daveraver, 29 May 2018 - 09:44.


Re: Security - iptables #4 WanWizard

  • Forum Moderator
    PLi® Core member
  • 40,301 posts

+627
Excellent

Posted 29 May 2018 - 09:48

Because it's been there for dogs years and nobody bothered to remove it?


Many answers to your question can be found in our new and improved wiki.

Currently in active use: HD2400 (4xS2)VU+Duo2 (3xS2)VU+Zero, Edision OS mini+, ET10000 (4xS2)

For testing purposes: XP1000Formuler F1 (2xS2)Miraclebox Premium Micro (S2+C/T),  ET7500 (S2)ET8500 (S2), Zgemma H2.H (S2+C)Zgemma H5.2TC (S2+C/T), SAB TripleAlpha (S2+C/T), Galaxy 4K (FBC), VU Zero 4K, Edision OS nino 


Re: Security - iptables #5 daveraver

  • Senior Member
  • 274 posts

+3
Neutral

Posted 29 May 2018 - 09:57

hahaha,  :D  :D  :D , eternal non functional firewall... ok... I will try anyway by my way... maybe my ignorance make me believe it is possible... greetings!!


Edited by daveraver, 29 May 2018 - 09:57.


Re: Security - iptables #6 MiLo

  • PLi® Core member
  • 13,731 posts

+288
Excellent

Posted 29 May 2018 - 18:41

iptables would work on the box, like any other Linux machine out there (e.g. routers...) but doing so would basically kill all the nice features (webinterface, samba server). Opening up a port for, say, the webinterface, voids all security you got from iptables. Since it's rather pointless to do that, and the box is targeted to be behind a firewall already (i.e. your router) the iptables modules aren't even built to keep the kernel smaller (even when built as module, they'll leave some hooks in the kernel). It's basically not in there for the same reason the RAID6 driver (which also works perfectly fine on the box) isn't in there: There's just hardly any demand for it.

It's open source software, so everyone's free to compile and provide the iptables modules.

Edited by MiLo, 29 May 2018 - 18:44.

Real musicians never die - they just decompose

Re: Security - iptables #7 daveraver

  • Senior Member
  • 274 posts

+3
Neutral

Posted 29 May 2018 - 18:56

But you can give access only to some hostname, with iptables... I wanted to copy and paste the iptables script to the box, but the sintaxis is diferent, to get full iptable feature, kernel has to be ready for take all rules that you can have on debian/ubuntu distros, this is the sintaxis for the package installed on my formuler f1 this afternoon,

root@formuler1:~# iptables --help
iptables v1.4.12.2

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)


Commands:
Either long or short options are allowed.
  --append  -A chain Append to chain
  --check   -C chain Check for the existence of a rule
  --delete  -D chain Delete matching rule from chain
  --delete  -D chain rulenum
Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
  --flush   -F [chain] Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
Zero counters in chain or all chains
  --new     -N chain Create a new user-defined chain
  --delete-chain
            -X [chain] Delete a user-defined chain
  --policy  -P chain target
Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
Change chain name, (moving any references)
Options:
    --ipv4 -4 Nothing (line is ignored by ip6tables-restore)
    --ipv6 -6 Error (line is ignored by iptables-restore)
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
 --jump -j target
target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match -m match
extended match (may load extension)
  --numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
  --table -t table table to manipulate (default: `filter')
  --verbose -v verbose mode
  --line-numbers print line numbers when listing
  --exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
  --modprobe=<command> try to insert modules using this command
  --set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

So, I cant do copy and paste from my firewall script on my debian server... different sintaxis

 

greetings 



Re: Security - iptables #8 daveraver

  • Senior Member
  • 274 posts

+3
Neutral

Posted 29 May 2018 - 19:00

iptables would work on the box, like any other Linux machine out there (e.g. routers...) but doing so would basically kill all the nice features (webinterface, samba server). Opening up a port for, say, the webinterface, voids all security you got from iptables. Since it's rather pointless to do that, and the box is targeted to be behind a firewall already (i.e. your router) the iptables modules aren't even built to keep the kernel smaller (even when built as module, they'll leave some hooks in the kernel). It's basically not in there for the same reason the RAID6 driver (which also works perfectly fine on the box) isn't in there: There's just hardly any demand for it.

It's open source software, so everyone's free to compile and provide the iptables modules.

Ok, I will ask for a friend of mine, to get the modules compiled, but there are others that compile for comunity... so,,, why make it exclusive to a few persons, to use on openpli? so to use openpli you have to be a coder... ahh ok... nothing happens, everyone is free to compile or to go anywhere he wants...

 

If I thought as you, and I get the compiled modules, then, I wont share here to the community, it doesnt care, other person can compile agains, isnt it?


Edited by daveraver, 29 May 2018 - 19:05.


Re: Security - iptables #9 Pr2

  • PLi® Test Team
  • 2,445 posts

+94
Good

Posted 30 May 2018 - 14:06

The point here is that it is a bad idea to think that your receiver can act as a proper firewall just by enabling iptable on it.

So if people want to play sorcerer's apprentices it is up to there responsibility to compile it and play with it. If OpenPLi compile and offer it from the feed once your box will be hacked you will ask why and how is it possible since you install the iptable from the feed.


NO SUPPORT by PM, it is a forum make your question public so everybody can benefit from the question/answer.

Octagon SF-4008: Hotbird 13.0E, Astra 19.2E, Eutelsat5A 5.0W (+DVB-C)
VU+ Solo 4K: 2*DVB-S2 + 2*DVB-C/T/T2 (used in DVB-C)
Zgemma H5: 1*DVB-S2 + 1*DVB-C

Re: Security - iptables #10 daveraver

  • Senior Member
  • 274 posts

+3
Neutral

Posted 30 May 2018 - 21:30

The point here is that it is a bad idea to think that your receiver can act as a proper firewall just by enabling iptable on it.

So if people want to play sorcerer's apprentices it is up to there responsibility to compile it and play with it. If OpenPLi compile and offer it from the feed once your box will be hacked you will ask why and how is it possible since you install the iptable from the feed.

Yes, I think so right now. WanWizard tells me the same. Milo was a little "rude" to consider the users have to be coders to enjoy all their boxes features, on my point of view, but he give me a good idea, but not easy, to configure the ISP router firewall... one more battle for me...






1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


    Bing (1)