Re: [gentoo-user] iptables tunneling a chrooted Linux?
On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote: On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this firewall setting have to be active also in the Android environment, right? Of vice versa: I can track any network traffic of the Android OS inside my chrooted Linux, right? One kernel to rule them all...? If this is only chroot, you have to set all iptables rules (and other network configuration) in the host system environment (on Android). A bit of clarification here: Chroots and their hosts share the same network configuration. So, if you configure an iptables rule in the chroot, it affects the host, and vice-versa. That means you can set things up on either side, as long as you're talking about kernel-space settings (iptables, iproute2, etc). If you're touching resolv.conf or /etc/hosts that of course needs to be done in both places. If you are using LXC or other container...then you have to set up network inside container and bridge/route it with the host system. If you're using containers, the network namespace can be shared or not. If the namespace is shared, then it behaves the same as a chroot with regard to the network, iptables, etc. If the network namespace is not shared then the container gets its own interface, and there are a lot of options for how you go from there. Usually you just bridge a virtual ethernet interface to the host, but if you have multiple physical interfaces you could have each namespace have its own physical interface (I have no idea if the cell network vs wifi network interfaces are separated in android). You could set iptables either on the bridge on the host (which MUST be done from the host), or on the virtual interface in the container, and each set of rules affects the packets that go through it. Also, if you're bridging your container will have a different IP, so you might need NAT on the host if your cell provider blocks multiple DHCP assignments to the same device. I actually have openvpn running in a container and it acts as the gateway for my network (everything else just sees it as a standard router, including the host). That does need some iproute2 magic if your host ends up also servicing non-vpn traffic since it is multi-networked. It would be easier to set up on a phone. -- Rich
Re: [gentoo-user] iptables tunneling a chrooted Linux?
Hi, On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this firewall setting have to be active also in the Android environment, right? Of vice versa: I can track any network traffic of the Android OS inside my chrooted Linux, right? One kernel to rule them all...? If this is only chroot, you have to set all iptables rules (and other network configuration) in the host system environment (on Android). If you are using LXC or other container, involving network namespace separation (not sure this is doable on Android, kernel must support NET_NS as well as userspace tools should support this), then you have to set up network inside container and bridge/route it with the host system. Best regards, Andrew Savchenko pgp79Vhj9xFZf.pgp Description: PGP signature
Re: [gentoo-user] iptables tunneling a chrooted Linux?
Rich Freeman ri...@gentoo.org [15-08-15 13:04]: On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote: On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this firewall setting have to be active also in the Android environment, right? Of vice versa: I can track any network traffic of the Android OS inside my chrooted Linux, right? One kernel to rule them all...? If this is only chroot, you have to set all iptables rules (and other network configuration) in the host system environment (on Android). A bit of clarification here: Chroots and their hosts share the same network configuration. So, if you configure an iptables rule in the chroot, it affects the host, and vice-versa. That means you can set things up on either side, as long as you're talking about kernel-space settings (iptables, iproute2, etc). If you're touching resolv.conf or /etc/hosts that of course needs to be done in both places. If you are using LXC or other container...then you have to set up network inside container and bridge/route it with the host system. If you're using containers, the network namespace can be shared or not. If the namespace is shared, then it behaves the same as a chroot with regard to the network, iptables, etc. If the network namespace is not shared then the container gets its own interface, and there are a lot of options for how you go from there. Usually you just bridge a virtual ethernet interface to the host, but if you have multiple physical interfaces you could have each namespace have its own physical interface (I have no idea if the cell network vs wifi network interfaces are separated in android). You could set iptables either on the bridge on the host (which MUST be done from the host), or on the virtual interface in the container, and each set of rules affects the packets that go through it. Also, if you're bridging your container will have a different IP, so you might need NAT on the host if your cell provider blocks multiple DHCP assignments to the same device. I actually have openvpn running in a container and it acts as the gateway for my network (everything else just sees it as a standard router, including the host). That does need some iproute2 magic if your host ends up also servicing non-vpn traffic since it is multi-networked. It would be easier to set up on a phone. -- Rich Hi Andrew, hi Rich, thanks for your replies! 8) Android has a problem: Apps/Applications for the masses with advanced features broken down to a few colored bottoms to press. Sounds a little pessimistic...it is not. Its only the sound of frustration. I want to block out the man (goo...) in the middle while copying files from my PC to my tablet and vice versa via wifi. As soon the wifi is switched on, my tablet starts talking to persons I had never known (goo...). So I installed some Android firewalls and a Android SFTP-servers. No go...all firewalls I tried block all incoming traffic and there is no switch to deactivate or define it better. Some SFTP-server application even stop working, if they could not phone home. Last chance: Installing a fully functional chrooted Linux, setup some handcrafted iptables/ipset/sidmat stuff (which I still have to do) and...get a Yes, network is shared on kernel level as answer from this thread. :) And I got this answer...YEAH! :)) Thanks a lot for your help!!! Best regards and have a nice weekend! Meino
Re: [gentoo-user] iptables tunneling a chrooted Linux?
On Sat, Aug 15, 2015 at 7:45 AM, meino.cra...@gmx.de wrote: Last chance: Installing a fully functional chrooted Linux, setup some handcrafted iptables/ipset/sidmat stuff (which I still have to do) and...get a Yes, network is shared on kernel level as answer from this thread. :) And I got this answer...YEAH! :)) Yup. If your goal is to block outgoing connections to selected IPs then you just need to have iptables/etc installed. Doing it from a chroot is probably a good a solution as any. You could also go the prefix route, though that is trickier. Neither is any better, so I'd stick with simple and use the chroot. -- Rich
[gentoo-user] iptables tunneling a chrooted Linux?
Hi, on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this firewall setting have to be active also in the Android environment, right? Of vice versa: I can track any network traffic of the Android OS inside my chrooted Linux, right? One kernel to rule them all...? (I am asking before, because I dont want to screw up the Android side of the system...I am not yet that familiar with this...) What do you think? Best regards, Meino