[Q] [ask a question]how to add a iptable rules in android? - Android Q&A, Help & Troubleshooting

Hi, all,
I want to add a iptable ruler in android phone. I use iptables -t nat -A PREROUTING -p 6 -d 192.168.66.1 --dport 80 -j DNAT --to 192.168.66.1:8080 after run su in my rooted phone
This ruler can be checked in adb shell: iptables -t nat -nL
hain PREROUTING (policy ACCEPT) target prot opt source destination idletimer_nat_PREROUTING all -- 0.0.0.0/0 0.0.0.0/0 DNAT tcp -- 0.0.0.0/0 192.168.66.1 tcp dpt:80 to:192.168.66.1:8080 I want to keep this information after phone reset. So I add an iptables file in /etc/sysconfig (the path information come from pc linux system)
Its content is:-t nat -A PREROUTING -p 6 -d 192.168.66.1 --dport 80 -j DNAT --to 192.168.66.1:8080
Ater phone reset, no rules is added.
I don't know whether android support this path: /etc/sysconfig/iptables. This path come from pc linux. (/etc/iptables/rules.v4 is tested too, not work)
At the same time, I also don't know whether its content is right.
My testing phone cannot be rooted in the future. We only can custom our Rom.
So if you know how to add this rule in no rooted phone, that is ok for me too.
Anyone can help me about this?
Thanks very much in advance.

Related

[Q] AfWall+, how to allow Kernel to connect to a specific IP

I have Treema installed and the latest version of AfWall+
I use this custom script: http://forum.xda-developers.com/showpost.php?p=40513649&postcount=852 to allow GCM for push notifications from Threema.
But this not work. I still have problems with pushnotifications from threema. Now i see in the AfWall+ Log that Kernel want to Connect to a IP from threema.
What must i write in the custom script to allow Kernel to connect to a specidic ip like 109.205.171.171 ?
My current Custom Script is this:
Code:
$IPTABLES -I "afwall" -p udp --dport 5228:5230 -j RETURN || exit
$IPTABLES -I "afwall" -p tcp --dport 5228:5230 -j RETURN || exit
Perhaps something like the owner uid match option. Look up the man pages for iptables and iptables-extensions, should provide you with some more insight.
Code:
$IPTABLES -A OUTPUT -d 109.205.171.171 -m owner --uid-owner 0-999999999 -j ACCEPT
Sorry my knowing about iptables are zero
Kernel have the app id -1
Should this correct?:
Code:
$IPTABLES -A OUTPUT -d 109.205.171.171 -m owner --uid-owner -1 -j ACCEPT
i dont want to allow the kernel for all. only for one ip.

[Q] Networking question

Hi All,
I have a stupid Juniper VPN device at work which does not support 64 bit linux clients using netconnect. I have found ways around this previously, but now we are setting up 2 factor auth which throws a lot of javascript into the mix, making the scripts I used pretty much obsolete. The Junos pulse client works well for android, so I am thinking I want to use an android device as a router. Connecting to the VPN and using wifi tethering does not work, same with USB tethering does not work, and those are not exactly what I want anyway.
So basically I want to be able to connect my android device to my wifi here at home, connect to the VPN on it, run a script to do my setup on the Android device, lastly add a route on my client pc to tunnel through the android device. here is what I tried so far on the device:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
ip rule add from all to 10.0.0.0/8 fwmark 0x3c lookup 60
and on the client PC:
Code:
route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.29
where 192.168.1.29 is the IP of my android device, and 10.0.0.0/8(I know its lazy) is the IP range I want to go through tun0 on the device. This is however not working.
The only thing I need to do on a standard linux box to do this would be:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
And setup the same route command on the client but point it at the linux box instead. This currently works, but when we decide to flip the switch and use the 2 factor auth only I will not be able to make it work on a standard linux box, but 2 factor does work on android via the Junos app.
I fear I am missing something simple in Android land, please help...

[Q] how can i add a iptables rule in a rom?

hi, all
I want to add a iptables rule in Rom so that it can take effect after android phone is reset. But i don't know how to do it. I have a chance to ask rom factory to custome a rom for me. I want to make it clear
firstyly in my side so that i can tell factory guys very clearly. By now, I don't know how to do.
my iptables commadn is: iptables -t nat -A PREROUTING -p 6 -d 192.168.66.1 --dport 80 -j DNAT --to 192.168.66.1:8080
after that, i create and append -t nat -A PREROUTING -p 6 -d 192.168.66.1 --dport 80 -j DNAT --to 192.168.66.1:8080 into a /etc/iptables/rules.v4 or /etc/sysconfig/iptables.
After phone reset, no rules is set.
Anyone can tell me how to do it?
thanks very much in advance.
br

[SOLVED] Weird NAT issues when trying to tether via VPN

Hi, I recently wrote a program in C/C++ which allows me to tunnel over ICMP (my carrier stupidly allows ICMP traffic over 3g with the right APN )
All works fine if im using it from the phone, using the NDK compiled binary.
Also works fine if im not running the tunnel from my phone and just tethering via usb/wifi/bt and running the tunnelling program on the device tethered to my s3
What I'm trying to achieve is: run the tunnelling prog on the phone, and set up some iptables rules to forward rndis0/wlan0/bt-pan to tun0 so that I can use the tunnelled connection simultaneously on the phone and on whatever other devices are tethered to the phone.
Problem is, whilst running the program on the phone, I can access all sites/ips fine, but the connection provided to the tethered devices with the iptables rules is flaky at best, and simply will not connect to some sites at all
Possibly netmask issue?
Assuming my default gateway on the phone is set to the tunnel endpoint, here are the iptables rules I am using to NAT the tetherable interfaces:
iptables -F natctrl_FORWARD
iptables -A FORWARD -o tun0 -i bt-pan -s 192.168.44.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o tun0 -i wlan0 -s 192.168.43.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o tun0 -i rndis0 -s 192.168.42.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
strangely I can ping ok, and access sites like google and facebook but most other sites will not load.
Have done tracepath so I know the packets are going through the tunnel.
Anyone able to shed any light on this?
Alternatively, could it be possible to edit the default tethering scripts on the s3 to use the tun0 device instead of rmnet0 ? Will search them and try
Going to roll my NDK executable into a shared library and make it into a paid app.
Used 10gb in 2 days on a SIM which has never and will never have credit. Also works whilst roaming!
Jamie
Issue was that the MTU of wlan0/bt-pan/rndis0 was larger than that of the tunnel, causing packets to fragment. Lowered mtu and problem solved, working beautifully now

[Q] Enforcing AFWall+ custom iptables on cellular network

Not sure if this is the best sub to be asking this.. I recently rooted by pixel 3A (Android 10, ) using Magisk 20.4 (w/ manager 8.0.2). I've installed AFWall+ with the intention of running a custom script that forces the device to use OpenDNS servers. This is based on a tutorial I followed from here (which seems a bit outdated)
su
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 208.67.222.123:53
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 208.67.222.123:53
iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 208.67.222.123:53 || true
iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 208.67.222.123:53 || true
iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 208.67.222.123:53
iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 208.67.222.123:53
This setup works well over wifi, tested rebooting, changing networks, etc. and it works well. My problem is that these rules are not applied over my cellular network (LTE). Most of the questions regarding this seem outdated and not applicable. I don't have to use iptables either, just seemed like the most logical method, ideally want I want to do is enforce a set DNS across all connections that can't be easily disabled within android settings. Any pointers appreciated!

Categories

Resources