How to build your own OpenPLi image for VU+ box with iptables support

openpli_with_iptables.md

How to build your own OpenPLi image for VU+ box with iptables support

Note: Following was tested only with vuzero box, but it should also work with any other VU+ box. You just need to change the MACHINE properly below to one of the supported OpenPLi boxes.

Install dependencies

Note: Tested on Ubuntu 18.04

sudo apt-get install sed wget cvs subversion git-core \
coreutils unzip texi2html texinfo docbook-utils \
gawk python-pysqlite2 diffstat help2man make gcc build-essential g++ \
desktop-file-utils chrpath sshpass openjdk-11-jre python3-distutils \
libncurses5-dev libncursesw5-dev

Clone the OpenPLi repository

git clone https://github.com/OpenPLi/openpli-oe-core

Switch to some release branch or stay on develop (default)

cd openpli-oe-core
git checkout release-7.1

Build the image

MACHINE=vuzero make image

If the build is successful you can continue with the next steps

Remove opera-browser from the machine config

Note: This is to prevent errors such as: "opera-hbbtv_20180316_1.tar.gz: Cannot open: No such file or directory".

More info here: https://forums.openpli.org/topic/58631-cant-build-hbbtv/

Open following file with your favorite editor:

meta-vuplus/conf/machine/vuzero.conf

Change this line:

MACHINE_FEATURES += "hbbtv ctrlrc vupluszap opera-browser"

To:

MACHINE_FEATURES += "hbbtv ctrlrc vupluszap"

Compile kernel with iptables

Go to the build dir and source the env file

cd build
source env.source

Enable iptables in kernel config

Note: Kernel version at the time of writing was 3.13.5. Replace the version with your version.

Edit kernel config with your favorite editor:

meta-vuplus/recipes-bsp/linux/linux-vuzero-3.13.5/vuzero_defconfig

and add following to the config:

CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_ACCT=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=y
CONFIG_NETFILTER_XT_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_HMARK=y
CONFIG_NETFILTER_XT_TARGET_LOG=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_NFACCT=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_IP_NF_IPTABLES=y

Note: I added them to the kernel, but it should work also with modules. Warning: If you'll build them as modules, bitbake should automatically create a separate ipk for each module. This means that you need to install all these ipks and load them using modprobe or insmod before using them. I find it easier to include them with the kernel.

Compile the new kernel

If you want to know what each option does, run bitbake --help. In short, we're invalidating timestamp and forcing the rebuild of kernel.

MACHINE=vuzero bitbake -C compile -f linux-vuzero

Rebuild image with your new kernel

MACHINE=vuzero bitbake openpli-enigma2-image

Now you have your new image in the tmp/deploy/images/vuzero directory, e.g: openpli-enigma2-homebuild-vuzero_usb.zip

Build feeds

You need this because you just built a custom image (not genuine) and you need to have your own feeds.

MACHINE=vuzero bitbake openpli-enigma2-feed

Setup your own feed server

You need to install Apache or some other web server and serve the deploy directory so that your box can access it.

I have a directory /u1/feeds/openpli-homebuild on my server where I copied content of the tmp/deploy/ipk directory. I created a symlink to the /srv/http and started httpd server on my NAS server (Arch linux).

ln -s /u1/feeds /srv/http/
systemctl enable httpd.service
systemctl start httpd.service

Flash your new image

Unpack your image (zip) to a FAT32 formatted USB drive, put it into the box and flash it.

Change feed server on your VU+ box

Telnet to the box and read the /etc/opkg/*.conf files to see the feed server URL that you need create on your feed server. In my case:

cat /etc/opkg/vuzero-feed.conf

src/gz openpli-vuzero http://nas/feeds/openpli-homebuild/vuzero

Modify these files to match with the URL of your feed server or change your feed server to match with these URLs.

Setup iptables on your VU+ box

Telnet to the box and run following commands:

opkg update
opkg install iptables

Check if iptables are working

iptables -L

Check if you have all the iptables matches that you require

cat /proc/net/ip_tables_matches

Create a simple firewall script and run it

Example (firewall.sh):

#!/bin/sh
# flush any existing rules
iptables -F
# default policy rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# allow everything from loopback interface
iptables -A INPUT -i lo -j ACCEPT
# allow ssh from everywhere
#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# allow connections we initiated
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow connections from nas
iptables -A INPUT -p tcp -s 192.168.2.56 -j ACCEPT
# allow connection from laptop
iptables -A INPUT -p tcp -s 192.168.2.5 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.2.6 -j ACCEPT

Use cron or screen to run the script

In case you just accidentally locked yourself out of your box, just restart your box. Once the script is working for you, create your own sysv init file in /etc/init.d/yourscript and make it executable. Then create a symlink from /etc/init.d/yourscript to /etc/rc3.d/S01yourscript.

Enjoy!