On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko <birc...@gentoo.org> wrote: > > On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: >> on my Android tablet I have installed a Gentoo rootfs. >> I can start this by chgrooting it after Android has booted. >> Via xvnc I can connect from a running Android to the also >> running Gentoo Linux. >> If I set up a firewall as root (the Android is rooted) while >> I am in the chrooted Linux this firewall setting have to be >> active also in the Android environment, right? >> Of vice versa: I can track any network traffic of the Android >> OS inside my chrooted Linux, right? >> >> One kernel to rule them all...? > > If this is only chroot, you have to set all iptables rules (and > other network configuration) in the host system environment (on > Android).
A bit of clarification here: Chroots and their "hosts" share the same network configuration. So, if you configure an iptables rule in the chroot, it affects the host, and vice-versa. That means you can set things up on either side, as long as you're talking about kernel-space settings (iptables, iproute2, etc). If you're touching resolv.conf or /etc/hosts that of course needs to be done in both places. > If you are using LXC or other container...then you have to set up network > inside container and > bridge/route it with the host system. If you're using containers, the network namespace can be shared or not. If the namespace is shared, then it behaves the same as a chroot with regard to the network, iptables, etc. If the network namespace is not shared then the container gets its own interface, and there are a lot of options for how you go from there. Usually you just bridge a virtual ethernet interface to the host, but if you have multiple physical interfaces you could have each namespace have its own physical interface (I have no idea if the cell network vs wifi network interfaces are separated in android). You could set iptables either on the bridge on the host (which MUST be done from the host), or on the virtual interface in the container, and each set of rules affects the packets that go through it. Also, if you're bridging your container will have a different IP, so you might need NAT on the host if your cell provider blocks multiple DHCP assignments to the same device. I actually have openvpn running in a container and it acts as the gateway for my network (everything else just sees it as a standard router, including the host). That does need some iproute2 magic if your host ends up also servicing non-vpn traffic since it is multi-networked. It would be easier to set up on a phone. -- Rich
