Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
getting KDE Connect to work with IPTables [solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hunky
l33t
l33t


Joined: 19 Nov 2003
Posts: 819
Location: Alaska

PostPosted: Sat Feb 11, 2017 5:17 am    Post subject: getting KDE Connect to work with IPTables [solved] Reply with quote

So I know mostly nothing about iptables but just got it going - and noticed it blocks kdeconnect (as one would expect I guess).

I found these rules somewhere to get me started until at least I learn a bit more about it (not really wanting to learn but will so I don't have to bother you guys):
Code:
#!/bin/bash

iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

ip6tables -F
ip6tables -X
ip6tables -Z

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset


Kdeconnect uses ports 1714:1764 apparently on tcp and udp. So in googling I found these two lines that I added to the above file and put them just above where the ip6tables -F lines start:
Code:
#added by jim - kdeconnect ports
iptables -A INPUT -i enp2s0 -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --match multiport --dports 1714:1764 -j ACCEPT
iptables -A INPUT -i enp2s0 -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --match multiport --dports 1714:1764 -j ACCEPT


With that, in calling the file, I get this error:
Code:
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.


So something is wrong. Thinking I could simplify it somehow - not sure if it is choking on my net interface enp2s0 since most examples seem to use eth0 or similar. Ip range could perhaps be 192.168.1.0/24 or whatever syntax.. but not sure how to write it. Or perhaps I have a misconfigured kernel?

Help would be appreciated. Otherwise I just stop iptables and this file (named firewall.sh) and connect my phone with kdeconnect.. but .. hassle.

thx, JD


Last edited by hunky on Sat Feb 11, 2017 8:34 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13511

PostPosted: Sat Feb 11, 2017 4:27 pm    Post subject: Reply with quote

That error usually means that one or more of the features you tried to use is not available in the current kernel. Since that line looks overly specified for what you want, you may be able to make it work by reducing the features used, rather than by changing the kernel.

You are correct that the use of --src-range is an unnecessary complication here. You could switch to using a /24 with functionally the same effect. You are correct that this rule matches only traffic on interface enp2s0. If that is not the name of your interface, it will not match any traffic.

Using such a wide range of ports is a bit unusual. I hope that means only that all those are possibilities that might happen depending on configuration, not that all of them are likely to occur over repeated uses in the same configuration. However, the obvious citation for this says exactly what you wrote. The expedient low security solution would be to declare that anything on the LAN segment is trusted and remove the multiport qualifier. If you do not want to do this (perhaps because there are services on the system that even LAN peers should not access), you need either to get multiport to work or you need to get KDEConnect to be more predictable. For multiport, you need CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y (or =m and loaded) in your kernel. If this is not sufficient to resolve your problem, please post the output of zgrep -e _NF_ -e NETFILTER /proc/config.gz.
Back to top
View user's profile Send private message
hunky
l33t
l33t


Joined: 19 Nov 2003
Posts: 819
Location: Alaska

PostPosted: Sat Feb 11, 2017 6:43 pm    Post subject: Reply with quote

Many thanks Hu for the helpful reply.

I was about to give it up and so I installed ufw as I found examples on that for kdeconnect. It has a check-requirements script that did point to some kernel problems and some googling led me to fixes that let that script pass successfully. The one you mentioned was definitely one of them. However, trying my iptables script above still produced those errors. So before enabling ufw, I simplified those rules to this (enp2s0 is my interface name but not needed):
Code:
iptables -A INPUT -s 192.168.1.0/24 -p tcp --match multiport --dports 1714:1764 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p udp --match multiport --dports 1714:1764 -j ACCEPT


And that works fine. Kde Connect works fine with that.

As far as the range of ports seeming excessive, I agree. But I'm busy enough of non-computer stuff that I don't want to dive too deep into that. My lan is just myself and my wife at home (she's on Mac), so don't think there are threats within the lan, so perhaps the rules above are ok.

I did take a look at that last command you gave:
Code:
zgrep -e _NF_ -e NETFILTER /proc/config.gz
gzip: /proc/config.gz: No such file or directory


If that indicates another problem perhaps you could help with that. Otherwise, I could mark this solved.

[edit] I went ahead and found the proc - config.gz in the kernel and set it so it works now.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13511

PostPosted: Sun Feb 12, 2017 12:30 am    Post subject: Reply with quote

To elaborate on my point about LAN security: though the only humans authorized to use the LAN are you and your wife, it is increasingly common to buy "smart" devices that connect to the LAN (televisions are a major offender). These devices typically have atrocious security and, if compromised, could be used as a springboard to attack the LAN. If you have such a device, you might want to place it on a separate subnet or change the source rules so that only the specific devices you trust not to get compromised can match.
Back to top
View user's profile Send private message
hunky
l33t
l33t


Joined: 19 Nov 2003
Posts: 819
Location: Alaska

PostPosted: Sun Feb 12, 2017 12:54 am    Post subject: Reply with quote

Thanks again Hu. I had that nagging notion about this. Good ideas. I suppose since my computer is the only one using kdeconnect I could specify just my ip address rather than the whole network. I assume that would work. Otherwise I'll have to do some googling on getting my particular router to do subnets. /jim
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum