Administering the router and firewall on your phone while usb tethering.

dobey

@ublique said in Administering the router and firewall on your phone while usb tethering.:

Is it even possible to have a shell into the phone while USB tethering?

If you set up ssh on your phone, you should be able to use that over the RNDIS connection to the computer, yes.

ublique

Hi @dobey, thanks. Got it ssh over RNDIS to the phone working eventually.

I'm going to be traveling with phone and laptop soon and now that I have an ssh shell into the phone it would be great to have visibility and control over firewall (if activated) and router functions.

nmcli c run in the shell is a start on this.

It gives visibility of NAME, UUID, TYPE and DEVICE for each connection active on the phone.

If anyone has any suggestions or outline for the next steps it would be appreciated.

Is it possible to run a socks server in a libertine container, for example, and route internet traffic through it?

Are there pre-configured containers available anywhere that might provide the functionality I'm looking for?

Could I run some kind of (preferably graphical) network monitoring or network administration software, on the phone (or in a libertine container), and pipe the output back to a window on the laptop over ssh?

btw, I wasn't going to say this, but as an early donator to the project I really appreciate getting occasional support on this forum. I haven't always been using ubports myself, but I've always been supporting someone around me using it. In the last couple of years I've twice had a question answered by people directly connected to ubports here. It reflects well on everyone connected to the project imo.

ublique

I'll post an update - maybe people are interested in this topic.

Here are the results when I run sudo ufw status in the terminal app on the phone.

phablet@ubuntu-phablet:~$ sudo ufw status
WARN: uid is 0 but '/etc' is owned by 1234
WARN: /etc is group writable!
WARN: uid is 0 but '/' is owned by 1234
WARN: / is group writable!
WARN: uid is 0 but '/usr' is owned by 1234
WARN: /usr is group writable!
Status: inactive

I'm wondering do these warnings mean that ufw won't run properly.

Any suggestions for further investigations appreciated

Pulsar33

@ublique said in Administering the router and firewall on your phone while usb tethering.:

Could I run some kind of (preferably graphical) network monitoring or network administration software, on the phone (or in a libertine container)

Something like that ?, Yes you can

BR
Pulsar33

ublique

@pulsar33 I'm picturing you marching in to save this thread, singing La Marseillaise

Is that some kind of a netstat gui? With a system monitor gui, it looks like.

Are they both running in the same Libertine container?

Maybe instead of asking a lot of questions, I should let you explain what's going on in this picture

Pulsar33

@ublique
Well, what you see is my BQ E5 HD in windowed mode with LXterminal, Gnome System Monitor and yes, a netstat GUI running in the same Libertine container. On the top of that, you have the internet browser running normally, outside the Libertine container.
Gnome System Monitor displays the whole cpu, memory and network activities. The netstat GUI captures and displays the whole TCP+UDP traffic according to my choice, in real time, showing the IP as well as the host of each access. What is important to see is that this includes the internet browser traffic, as well as the underlying push inquiries of the system, all running outside the Libertine container.
Unfortunately, I didn't test this with USB Tethering because I've no SIM card on this phone, but there's a high probability that it could work as well. And last, I tried to install Wireshark but this wasn't possible (see this thread).
Good evening
Pulsar33

ublique

@pulsar33 Thanks for posting that - when I get a moment it will be studied.

I pieced together this messy temporary solution this week:

Set up ssh access from your phone to your laptop according to the docs.

I then followed this post to get tcpdump running on the phone. https://forums.ubports.com/topic/5812/start-ubuntu-com/6?_=1634461039106#

Then, while online and tethering, log into the phone through ssh.

Start tcpdump on the phone and pipe the output back to wireshark (on the laptop) via the ssh connection.

The process is referred to in this tweet https://twitter.com/climagic/status/1222597955858857984?lang=en where the tcpdump output is piped back to etherape , except there are some changes to be made to the command due to UBports architecture.

I've got it working, but would greatly appreciate thoughts on what is the most correct way to do this longterm, while usb tethering. Is it a security risk to run tcpdump as root on the phone on an ongoing basis while usb tethering?

ublique

So @pulsar33 could you briefly outline the steps for an average linux user to get your Libertine container set up and working? Anything would be helpful.

This is the only method I have succeeded with:

First set up and configure ssh according to the help files.

Then follow the guide from the forum, linked in the last post, to install tcpdump on the phone.

While tethered over the RNDIS connection to the phone, On the pc run these commands to set up a file called CAP for traffic capture

$ mkfifo /tmp/CAP

Then start etherape as root on the PC

$ sudo etherape -m ip i- any -r /tmp/CAP

Then, from the pc, start tcp dump as root on the phone, and send the tcpdump data back to the CAP file on the pc.

$ ssh phablet@ubuntu-phablet "echo PASS | sudo -S tcpdump -s 0 -U -n -w - -i any not port 22" > /tmp/CAP

Etherape then displays this data in this CAP file "live".

In the last command, PASS represents the phone PIN, necessary to run tcpdump as root on the phone.

continued...........

ublique

......continued

Are there any obvious security vulnerabilities when using the above 3 commands?
Is it a risk to send the phone pin over ssh to the phone like above?
Is running tcpdump as root on the phone a risk?

Apologies for so many questions, all comments appreciated.

Honestly, I don't know why visibility of network connections isn't given more importance in general computing. When trying to configure a VPN and firewall, for example, instant visibility of connections has been extremely helpful. I feel like I was blind before.

Don't worry guys, my next post isn't going to be "Why is my phone connecting to XXX constantly?"

Pulsar33

@ublique : I answer as soon as I can, sorry for the delay
BR
Pulsar33

ublique

@pulsar33 no problem, take your time. This is a relaxed thread

If it's more convenient, write it in your first language and we can translate.

Pulsar33

@ublique said in Administering the router and firewall on your phone while usb tethering.:

So @pulsar33 could you briefly outline the steps for an average linux user to get your Libertine container set up and working? Anything would be helpful.

So, the OP was not Libertine specific and this was only one suggest on which I bounced. Well, I'm afraid not to have as many knowledge as you expect but I hope to be an average Linux user

For the Libertine part, I think that what I will say would be in a better place in the Libertine category. So, I will just insert a link here pointing to Gently setup a Libertine container and some applications

For the main subject, I thought at the begining that you wanted a graphical management of the communications displayed on the phone while your laptop were accessing the internet through usb tethering. Reading your further developments, it seems that you prefer a GUI on laptop side. I think that some people have a better knowledge than me to guide you this way.

BR
Pulsar33