Project

General

Profile

Does Replicant 6.0 have iptables?

Added by Alexand(er|ra) Yst over 4 years ago

I've finally gotten a replacement battery for my device so it can hold a charge without remaining in aeroplane mode all the time, so I'm getting everything set back up as I had it on Replicant 4.2 to keep communications private in preparation to actually get service on this thing again.

On Replicant 4.2, I used an application called orWall, which used iptables to block all outgoing traffic except that which it was configured to allow out, which it tunnelled through Orbot's Tor proxy. However, when I run orWall on Replicant 6.0, I get an error message telling me that iptables doesn't seem to be initialised. Does Replicant 6.0 even have iptables? If so, are there any know reasons it might not be getting initialised correctly that I should check for?


Replies (8)

RE: Does Replicant 6.0 have iptables? - Added by Andrés D over 4 years ago

Have you given root access to Orwall? You first need to allow root for apps in development configuration menu.

RE: Does Replicant 6.0 have iptables? - Added by Alexand(er|ra) Yst over 4 years ago

I was going to be \*so\* embarrassed if the problem had turned out to be that I hadn't given root access to orWall ...

Anyway, the configuration option in the development menu is set to allow both applications and ADB to be allowed root access, and when I checked to see which applications have been given root access, I found that not only does orWall have root access, but it's actively used it 23 times, so it's definitely been making us of it.

RE: Does Replicant 6.0 have iptables? - Added by Kurtis Hanna over 4 years ago

This doesn't answer your question about iptables, but I wanted to quickly note that OrWall hasn't been developed for 3 years now and it was announced that the project is End Of Life (EOL): https://twitter.com/orWallApp/status/739842158010716160 I think that it is suggested to use OrBot's VPN option from now on. Some more discussion about it can be found here: https://guardianproject.info/2017/10/27/no-more-root-features-in-orbot-use-orfox-vpn-instead/

RE: Does Replicant 6.0 have iptables? - Added by Alexand(er|ra) Yst over 4 years ago

The problem with Orbot's VPN is that it's only available in newer versions of Orbot, which are nonfree. I could recompile without the nonfree parts, except that I've never managed to get a Replicant application development environment working any time I've tried to set one up. I'm not sure what I'm doing wrong, but for now, editing and recompiling applications is off the table.

That's disappointing that orWall has reached its end of life. I guess it's not compatible with Replicant 6.0 for some reason, and that won't be fixed. It's looking like I need to downgrade to Replicant 4.2, honestly. I mean, I use my mobile for two things: network access and music. Without a way to secure network access, I can't connect the thing to the network. And Replicant 6.0 is also refusing to read my SD card, as I mentioned in another thread, meaning I don't have access to my music library either.

While this is only two problems, and one of the problems isn't even Replicant's fault, it still covers one hundred percent of my use case. As much as I was excited to upgrade, this upgrade has made my device useless to me.

RE: Does Replicant 6.0 have iptables? - Added by Kurtis Hanna over 4 years ago

Alexand(er|ra) Yst wrote:

The problem with Orbot's VPN is that it's only available in newer versions of Orbot, which are nonfree.

Can you please provide more information about this? If true, this means that we can't trust the Guardian Project repo in F-Droid.

That's disappointing that orWall has reached its end of life. I guess it's not compatible with Replicant 6.0 for some reason, and that won't be fixed. It's looking like I need to downgrade to Replicant 4.2, honestly. I mean, I use my mobile for two things: network access and music. Without a way to secure network access, I can't connect the thing to the network. And Replicant 6.0 is also refusing to read my SD card, as I mentioned in another thread, meaning I don't have access to my music library either.

Downgrading to 4.2 will expose you to a lot of unpatched security vulnerabilities. This should be avoided if at all possible. If AFWall+ works with Tor perhaps we could look into getting rid of the nonfree parts of AFWall+. I was reading this recently: https://infosec-handbook.eu/blog/afwall-tor/ I think former Replicant contributor Jookia was working on getting AFWall+ to work with Tor.

While this is only two problems, and one of the problems isn't even Replicant's fault, it still covers one hundred percent of my use case. As much as I was excited to upgrade, this upgrade has made my device useless to me.

Hopefully we can help you get these two issues figured out so that you can keep up to date with the most recent Replicant versions.

RE: Does Replicant 6.0 have iptables? - Added by Andrés D over 4 years ago

Alexand(er|ra) Tst:

The F-droid repository for orWall says:
"Limitations: init-script works only on Android <= 4.4.x"
In addition, as Kurtis says, orWall has not been updated for three years, so I would not recommend using it anyway (you would need a unfixed android with a probably broken and unfixed firewall).
I'm also more interested on what you said about newer versions of Orbot being non-free.

RE: Does Replicant 6.0 have iptables? - Added by Alexand(er|ra) Yst over 4 years ago

Alexand(er|ra) Yst wrote:

The problem with Orbot's VPN is that it's only available in newer versions of Orbot, which are nonfree.

Can you please provide more information about this? If true, this means that we can't trust the Guardian Project repo in F-Droid.

The newer versions of Orbot contain images that use the -NC clause in their Creative Commons license, making them non-free. If I could get a working build environment set up, these would be the easiest thing in the world to replace. For all I care, I could just use white squares with enough black text to tell what the image was for when meant as a button. But until I can do that, these new versions of Orbot are off the table for me.

That's disappointing that orWall has reached its end of life. I guess it's not compatible with Replicant 6.0 for some reason, and that won't be fixed. It's looking like I need to downgrade to Replicant 4.2, honestly. I mean, I use my mobile for two things: network access and music. Without a way to secure network access, I can't connect the thing to the network. And Replicant 6.0 is also refusing to read my SD card, as I mentioned in another thread, meaning I don't have access to my music library either.

Downgrading to 4.2 will expose you to a lot of unpatched security vulnerabilities. This should be avoided if at all possible. If AFWall+ works with Tor perhaps we could look into getting rid of the nonfree parts of AFWall+. I was reading this recently: https://infosec-handbook.eu/blog/afwall-tor/ I think former Replicant contributor Jookia was working on getting AFWall+ to work with Tor.

I understand it's not ideal, and I understand it's a security risk. But think of it this way: by downgrading, I'm getting at least some use out of the device, while by not downgrading, the thing is a useless piece of junk to me. It'd be more secure, but it'd also be sitting, likely with it's battery beside it, on a shelf in my closet.

While this is only two problems, and one of the problems isn't even Replicant's fault, it still covers one hundred percent of my use case. As much as I was excited to upgrade, this upgrade has made my device useless to me.

Hopefully we can help you get these two issues figured out so that you can keep up to date with the most recent Replicant versions.

I would love to have the updated Replicant version, despite the weird quirks it has, such as requiring me to open the USB menu every time I plug the device into my laptop and tell it \*again\* that I want it to use MTP. Replicant 4.2 let me tell it once and be done with it. But even with the quirks, the better security and the ability to run newer software would more than make up for it as long as I can secure my connection (and get my SD card to function properly, which I'm working on in another thread).

Alexand(er|ra) Tst:

The F-droid repository for orWall says:
"Limitations: init-script works only on Android <= 4.4.x"
In addition, as Kurtis says, orWall has not been updated for three years, so I would not recommend using it anyway (you would need a unfixed android with a probably broken and unfixed firewall).
I'm also more interested on what you said about newer versions of Orbot being non-free.

Ah, so that's the problem. orWall specifically doesn't work after 4.4.x. Anyway, I'm aware the situation isn't ideal, but not blocking traffic at all is even less secure than having the old system installed. So many applications like to leak data.

As for Orbot, newer versions use nonfree images. I talked to someone years ago, I forget whether it was the Guardian Project or the Tor Project, but they said that since the -NC clause fits well with the Tor Project's trademark policy, they weren't going to fix the images. That makes the newer versions of Orbot nonfree, unless you roll a custom version with those images removed.

RE: Does Replicant 6.0 have iptables? - Added by Kurtis Hanna over 4 years ago

Can you provide a citation to the images in Orbot with NC clause images? I was told that CC has deprecated the -NC license.

Why is AFWall+ not an option for you? It is regularly getting security fixes and has similar functionality to Orwall now. Also, Orwall has been reported to work just fine on Replicant 6, even though it isn't actively being updated.

This is the first I'm hearing about the USB menu popping up every time. I'll be flashing my S2 with our most up to date Replicant 6 experiemental version soon since I have to test out the ethernet functionality, so I can look into this then.

Lastly, it seems like we should open an issue on our tracker related to the S2 SD card functionality. I'll be testing this out as well once I flash the new Replicant image on it.

    (1-8/8)