Skip to content

GitLab

Last edited by Mark Stevens
Page history

iptables (pci review)

Explanation of IP Tables Rules

The INPUT chain determines how to treat an IP packet coming in to the network adapter from the network. The OUTPUT chain determines how to treat an IP packet coming from with the device

The Chain will list each rule by protocol, source and destination address & port The target is a list of criteria to determine if the message should be handled by that target

The filter table is used to filter (ACCEPT,REJECT or DROP) packets There are three default chains defined for the filter table:

  • The INPUT chain: Rules in this chain apply to packets just before they’re given to a local process.
  • The OUTPUT chain: The rules here apply to packets just after they’ve been produced by a process.
  • The FORWARD chain: The rules here apply to any packets that are routed through the current host.

A target must be applied to at least one of the above chains to be in use. A chain target that is not in use, but defined, may be used based on settings. For example, a wifi network may be configured with a quota or limited to certain hours. We do not use those settings or provide a means to configure them on our production tablets.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
bw_INPUT   all  --  anywhere             anywhere            
fw_INPUT   all  --  anywhere             anywhere            
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
oem_fwd    all  --  anywhere             anywhere            
fw_FORWARD  all  --  anywhere             anywhere            
fw_FORWARD  all  --  anywhere             anywhere            
natctrl_FORWARD  all  --  anywhere             anywhere            
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
oem_out    all  --  anywhere             anywhere            
fw_OUTPUT  all  --  anywhere             anywhere            
st_OUTPUT  all  --  anywhere             anywhere            
bw_OUTPUT  all  --  anywhere             anywhere

Chain targets from INPUT,FORWARD and OUTPUT chains:

graph TD;
INPUT --> bw_input;
INPUT --> fw_INPUT;
FORWARD --> oem_fwd;
FORWARD --> fw_FORWARD;
FORWARD --> natctrl_FORWARD;
OUTPUT --> oem_out;
OUTPUT --> fw_OUTPUT;
OUTPUT --> st_OUTPUT;
OUTPUT --> bw_OUTPUT;
Chain bw_FORWARD (1 references)
target     prot opt source               destination

Only allow incoming packets from tcp and udp if the socket was already created by a device process.

Chain bw_INPUT (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             owner socket exists

Only allow outgoing packets from tcp and udp if the socket was already created by a device process.

Chain bw_OUTPUT (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             owner socket exists
```

### NOP: no packets in the bw_penalty_box filter criteria
```
Chain bw_costly_shared (0 references)
target     prot opt source               destination         
bw_penalty_box  all  --  anywhere             anywhere            
```

### NOP: no packets in the filter criteria
```
Chain bw_happy_box (0 references)
target     prot opt source               destination         
```

### NOP: no packets in the filter criteria
```
Chain bw_penalty_box (1 references)
target     prot opt source               destination         
```

### NOP: no packets in the filter criteria
```
Chain fw_FORWARD (1 references)
target     prot opt source               destination         
```

### NOP: no packets in the fw_standby filter criteria

```
Chain fw_INPUT (1 references)
target     prot opt source               destination         
fw_standby  all  --  anywhere             anywhere            
```

### NOP: no packets in the filter criteria
```
Chain fw_OUTPUT (1 references)
target     prot opt source               destination         
fw_standby  all  --  anywhere             anywhere            
```

### NOT Referenced in INPUT/OUTPUT/FORWARD chains.  
This is defined by Android, but it is not used to filter any packets.
Affected by Doze settings. It would reject or drop packets if Dozing was enabled on our tablet
```
Chain fw_dozable (0 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             owner UID match 0-9999
DROP       all  --  anywhere             anywhere            
```

### NOP: no packets in the filter criteria
```
Chain fw_standby (0 references)
target     prot opt source               destination
```

### DO NOT FORWARD packets from other devices
DROP all packets forwarded from any device connected directly to the router via NAT
```
Chain natctrl_FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
```

### NOP: no packets in the filter criteria
```
Chain natctrl_tether_counters (0 references)
target     prot opt source               destination         
```

### NOP: no packets in the filter criteria
```
Chain oem_fwd (1 references)
target     prot opt source               destination         
```

### NOP: no packets in the filter criteria
```
Chain oem_out (1 references)
target     prot opt source               destination         
```

### NOP: no packets in the filter criteria
```
Chain st_OUTPUT (1 references)
target     prot opt source               destination         
```

### Only allow tcp packets from sockets that have been created by a device process.
```
Chain st_clear_caught (2 references)
target     prot opt source               destination         
st_clear_caught  tcp  --  anywhere             anywhere             state ESTABLISHED u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0"
st_clear_caught  udp  --  anywhere             anywhere            
```

### NOT Referenced in INPUT/OUTPUT/FORWARD chains.  
This is defined by Android, but it is not used to filter any packets.
```
Chain st_clear_detect (0 references)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             connmark match  0x2000000/0x2000000 reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere             connmark match  0x1000000/0x1000000
CONNMARK   tcp  --  anywhere             anywhere             u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xff0000=0x10000" CONNMARK or 0x1000000
CONNMARK   udp  --  anywhere             anywhere             u32 "0x0>>0x16&0x3c@0x8&0xffff0000=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" CONNMARK or 0x1000000
RETURN     all  --  anywhere             anywhere             connmark match  0x1000000/0x1000000

```

### NOT Referenced in INPUT/OUTPUT/FORWARD chains.  
This is defined by Android, but it is not used to filter any packets.
```
Chain st_penalty_log (0 references)
target     prot opt source               destination         
CONNMARK   all  --  anywhere             anywhere             CONNMARK or 0x1000000
NFLOG      all  --  anywhere             anywhere            
```

### NOT Referenced in INPUT/OUTPUT/FORWARD chains.  
This is defined by Android, but it is not used to filter any packets.
```
Chain st_penalty_reject (0 references)
target     prot opt source               destination         
CONNMARK   all  --  anywhere             anywhere             CONNMARK or 0x2000000
NFLOG      all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
```