#!/system/bin/sh
#### DESCRIPTION ####
# This script sets up any static iptables rules required for the Wrigley. For
# this to work, we require hooks in system/netd/ to jump to a special "oem"
# chain for any tables/chains we want to modify.
# NOTE: This script is called every time the netd service is started. To
# handle the case where netd has crashed/stopped and is restarted, attempt to
# flush any chains we create before adding to them; this will avoid duplicate
# rules. We don't attempt to delete our additions to the base "hook" chains,
# because that's netd's job. So, for each sub-chain we create in here, we do
# -N (new) to handle the case where we've never been called before, and we do
# -F (flush) to handle the case where we have been called before. Both no-op
# gracefully.
# NOTE: The firewalling rules done in here for protecting specific ports from
# unauthorized access are necessary for security, but should be replaced by a
# connection-based authentication scheme instead. By using iptables, we are
# creating compatibility issues with Google's Ice Cream Sandwich, and are
# adding unnecessary latency to all packets that go through Netfilter. If it
# were not for the current implementation, we would only need a hook in the
# nat/PREROUTING chain, and the hooks in filter/OUTPUT & filter/FORWARD could
# go away.
# TODO: Implement a connection-based auth scheme for Wrigley control and
# TODO: diagnostics ports.
# NOTE: Our usage of the static 192.168.20.0/24 for the Wrigley IP address can
# cause conflicts with DHCP-assigned WiFi addresses. When coupled with the
# firewall below, this ensures that WiFi will not work if we get assigned an
# address in that range.
# TODO: Find a way to blacklist the range above in the WiFi driver, so that we
# TODO: reject attempts from a WiFi AP to assign anything in that range to us.
IPTABLES="/system/bin/iptables"
#### filter OUTPUT ####
# Setup an explicit sub-chain for 192.168.20.2. This way we only burden all
# other packets with a single check for the IP address.
$IPTABLES -F oem_out_wrigley # No-op on 1st inst of this script
$IPTABLES -N oem_out_wrigley # No-op on 2nd-Nth inst of this script
$IPTABLES -A oem_out -d 192.168.20.2 -j oem_out_wrigley
# Setup diff rules for sensitive ports vs other ports. There are more
# non-sensitive than sensitive ports, and the non-sensitive list is fairly
# dynamic. So, do a blacklist instead of a whitelist.
$IPTABLES -F oem_out_wrigley_sens # No-op on 1st inst of this script
$IPTABLES -F oem_out_wrigley_other # No-op on 1st inst of this script
$IPTABLES -N oem_out_wrigley_sens # No-op on 2nd-Nth inst of this script
$IPTABLES -N oem_out_wrigley_other # No-op on 2nd-Nth inst of this script
$IPTABLES -A oem_out_wrigley -p tcp --dport 3265 -j oem_out_wrigley_sens
$IPTABLES -A oem_out_wrigley -p tcp --dport 3267 -j oem_out_wrigley_sens
$IPTABLES -A oem_out_wrigley -p tcp --dport 11000 -j oem_out_wrigley_sens
$IPTABLES -A oem_out_wrigley -j oem_out_wrigley_other
# Sensitive ports only allow root and radio to access them.
$IPTABLES -A oem_out_wrigley_sens -m owner --uid-owner 0 -j ACCEPT
$IPTABLES -A oem_out_wrigley_sens -m owner --uid-owner 1001 -j ACCEPT
$IPTABLES -A oem_out_wrigley_sens -j REJECT
# Other ports allow root, radio, and shell to access them.
$IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 0 -j ACCEPT
$IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 1001 -j ACCEPT
$IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 2000 -j ACCEPT
$IPTABLES -A oem_out_wrigley_other -j REJECT
#### filter FORWARD ####
# We only want forwarding in BP Tools Mode.
case $(getprop ro.bootmode) in
bp-tools)
# Only allow forwarding on non-sensitive ports. There are more
# non-sensitive than sensitive ports, and the non-sensitive list is fairly
# dynamic. So, do a blacklist instead of a whitelist.
$IPTABLES -F oem_fwd_wrigley # No-op on 1st inst of this script
$IPTABLES -N oem_fwd_wrigley # No-op on 2nd-Nth inst of this script
$IPTABLES -A oem_fwd -d 192.168.20.2 -j oem_fwd_wrigley
$IPTABLES -A oem_fwd -s 192.168.20.2 -j oem_fwd_wrigley
$IPTABLES -A oem_fwd_wrigley -p tcp --dport 3265 -j REJECT
$IPTABLES -A oem_fwd_wrigley -p tcp --dport 3267 -j REJECT
$IPTABLES -A oem_fwd_wrigley -p tcp --dport 11000 -j REJECT
$IPTABLES -A oem_fwd_wrigley -j ACCEPT
;;
*)
$IPTABLES -A oem_fwd -d 192.168.20.2 -j REJECT
;;
esac
#### nat PREROUTING ####
case $(getprop ro.bootmode) in
bp-tools)
# We must rewrite the destination address for our SUAPI logger port to the
# address of the BLAN, because legacy tools (RTA/PST) rely on this.
$IPTABLES -t nat -A oem_nat_pre -p tcp -d 192.168.16.2 --dport 11006 -j DNAT --to 192.168.20.2:11006
;;
esac