Hello together,
I have a question about iptables in android. I have some rootet smartphones and I like to block some ip address ranges
for wifi, mobil, and vpn. I dont like to have a app for this, because the phones are for a company and the user should not deinstall the firewall apps like afwall and so on.
So is there a way to write a bash file maybe and start it also after a reboot like in linux ?
Hope someone can help me.
thanks ...
micky1067
Custom iptables rules
This assumes that you have iptables in your kernel (netfilter). You can write a bash script and put it into init to load at startup however in android the starting of network devices zero all the rules so that would also need to be changed, in addition a program like AFWall uses iptables to run so you would need to make sure that you do not conflict with them. Any other firewall that does not use Iptables will only be on top of this. The way to do this is to make your own set of rules (chains) which are not touched by the other programs and load them in first. IPTables chains work that it prosesses them in order and if it is matched executes the rule and if not continues so as long as there is no rule to block everything the chain only adds. For example to block local addresses on wifi facebook on 4G and VPN on both do this
1. $IPTABLES -N mychain
2. $IPTABLES -A mychain -i wimax+ -d 10.0.0.0/8 -j DROP
3. $IPTABLES -A mychain -i wimax+ -m iprange --src-range 172.16.0.0-172.31.0.0 -j DROP
4. $IPTABLES -A mychain -i rmnet+ -s 185.60.216.35 -j DROP
5. $IPTABLES -A mychain -i rmnet+ -d 157.240.20.35 -j DROP
6. $IPTABLES -A mychain -m multiport 500,1194 -s -j REJECT --reject-with tcp-reset
7. $IPTABLES -A mychain -m multiport 500,1194 -d -j REJECT --reject-with tcp-reset
8. $IPTABLES -I mychain
Explanation: 1. makes a new chain or set of rules 2-3 adds rules to the chain using interface (-i) (wifi) one rule for destination (-d) another for source (-s) to drop 4-5 adds rules to the chain using interface (-i) (4g) one rule for destination (-d) and one rule for source (-s) to drop (blocks only one of facebook addresses) 6-7 adds rules for openVPN protocols (-m multiport) to reject with a reset package 8. inserts the chain to be used in IPTables first.
You can also use REJECT instead of DROP but that is outside the scope of this post when and if to use DROP /REJECT. You can also specify your internet interfaces instead of using the generic ones.
for more information see IPTables man pages and tutorial and the wiki of AFWALL
Related
My only machine at present is a netbook (Acer Aspire) which is running Fedora 17 (I normally use and recommend Debian).
Building CM7.2 presented quite a few challenges; having finally succeeded, I want to publish some notes to help others with similar constraints. There are doubtless better ways of doing some things set out here (comments welcome), but these worked.
First, Android can only successfully be built and then actually work if built with fairly aged software. Any recent distribution is likely to be troublesome, and FC17 is right out. The best solution appears to be to build in a VM. I built with Debian Wheezy (currently testing) because I had it lying around, but Debian Squeeze is probably the safest bet. One can do a very minimal install, no need for a gui or anything, just the usual tools and libraries.
I first started with VirtualBox on Fedora, using their "Shared Folders". I already had the repo checked out, and wanted to be able to keep the source outside of the VM instead of trapped inside it. VBox in Oracle's infinite wisdom decided not to support symlinks with "Shared Folders", making them useless. This problem appeared only at the end of the build, wasting lots of time.
At this point, I copied the source over to Windows and tried building it with VirtualBox there, which didn't work, so I decided to try Xen on Fedora.
Xen worked, but not very well. There were some crashes and hangs, and the machine could not be suspended.
Worst of all, memory used for guest VMs is permanently subtracted from the host VM, so one has to reboot after one or
two launches of a VM. One plus (on Fedora 17) is that firewall rules are automagically created to allow vibr0, the bridging
network between guest and host, to work so the guest can reach net. I Still needed to
manually add an iptables rule so the guest could access the host, and thus the nfs-exported source code.
Code:
iptables -A INPUT -i vibr0 -j ACCEPT
I probably could have gotten the build to work with Xen at this point, but decided that since I had nfs figured out and
VirtualBox (unfortunately) worked for me a lot better than Xen, I would give VBox another try, using nfs instead of "Shared Folders".
With VirtualBox, the default NAT network makes the host unreachable, so one needs to use two adapters
on the guest, one "Host-Only Adapter" to access NFS on host, one NAT adapter to be
able to reach the net (not strictly needed). I then needed to do a manual dhclient on NAT adapter to get the NAT access working:
Code:
dhclient eth1
On the host ,I needed to adjust iptables to open the firewall for the vbox NAT adapter
(192.168.56.0/24 at present) and enable masquerading. Note that no thought is given to security:
Code:
iptables -A INPUT -i vboxnet0 -j ACCEPT
-A FORWARD -i vboxnet0 -j ACCEPT
-A FORWARD -o vboxnet0 -j ACCEPT
-A POSTROUTING -s 192.168.56.0/24 ! -d 192.168.56.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.56.0/24 ! -d 192.168.56.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.56.0/24 ! -d 192.168.56.0/24 -j MASQUERADE
On the Debian guest, other than doing
Code:
dhclient eth[01] (whichever one is the NAT interface, see output of
inconfig -a)
nothing special was required beyond typical nfs mount.
On Fedora, nfs doesn't seem to start by itself; I had to do:
Code:
service rpcbind start
and then
Code:
service nfs start
to get it going.
Netbooks are not made to build software. Letting a build run without taking some measures eventually results in overheating and crashing.
I did all of the below manually, but using tools such as cpupower in package kernel-tools in Fedora 17 (used to be pacakge [
cpufrequtils is easier. There doesn't seem to be a command or sysctl setting to set ignore_nice_load.
Setting ignore_nice_load for the ondemand cpufreq governer should have done the job, but for some reason didn't work, even with both the build and the whole VM process niced:
Code:
[[email protected] ondemand]# pwd
/sys/devices/system/cpu/cpufreq/ondemand
[[email protected] ondemand]#
[[email protected] ondemand]# echo 1 >ignore_nice_load
I had to change the governor from ondemand to powersave, and had to do it for both cores. The easy way (with Fedora 17) is
Code:
cpupower frequency-set -g powersave
The manual way, in case the above is not available, is:
Code:
[[email protected] cpufreq]# pwd
/sys/devices/system/cpu/cpu0/cpufreq
cat scaling_available_governors
conservative userspace powersave ondemand performance
[[email protected] cpufreq]#
echo powersave >scaling_governor
[email protected] cpufreq]# pwd
/sys/devices/system/cpu/cpu1/cpufreq
and so forth.
This locked both cores at 800000 instead of 1000000 (those are the two speeds in the AMD C60). I also have the netbook elevated so heat can't collect underneath it. Having taken these measures, it can build CM (overnight or longer) without problems.
I hope these notes are useful to someone.
I have Treema installed and the latest version of AfWall+
I use this custom script: http://forum.xda-developers.com/showpost.php?p=40513649&postcount=852 to allow GCM for push notifications from Threema.
But this not work. I still have problems with pushnotifications from threema. Now i see in the AfWall+ Log that Kernel want to Connect to a IP from threema.
What must i write in the custom script to allow Kernel to connect to a specidic ip like 109.205.171.171 ?
My current Custom Script is this:
Code:
$IPTABLES -I "afwall" -p udp --dport 5228:5230 -j RETURN || exit
$IPTABLES -I "afwall" -p tcp --dport 5228:5230 -j RETURN || exit
Perhaps something like the owner uid match option. Look up the man pages for iptables and iptables-extensions, should provide you with some more insight.
Code:
$IPTABLES -A OUTPUT -d 109.205.171.171 -m owner --uid-owner 0-999999999 -j ACCEPT
Sorry my knowing about iptables are zero
Kernel have the app id -1
Should this correct?:
Code:
$IPTABLES -A OUTPUT -d 109.205.171.171 -m owner --uid-owner -1 -j ACCEPT
i dont want to allow the kernel for all. only for one ip.
Hi All,
I have a stupid Juniper VPN device at work which does not support 64 bit linux clients using netconnect. I have found ways around this previously, but now we are setting up 2 factor auth which throws a lot of javascript into the mix, making the scripts I used pretty much obsolete. The Junos pulse client works well for android, so I am thinking I want to use an android device as a router. Connecting to the VPN and using wifi tethering does not work, same with USB tethering does not work, and those are not exactly what I want anyway.
So basically I want to be able to connect my android device to my wifi here at home, connect to the VPN on it, run a script to do my setup on the Android device, lastly add a route on my client pc to tunnel through the android device. here is what I tried so far on the device:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
ip rule add from all to 10.0.0.0/8 fwmark 0x3c lookup 60
and on the client PC:
Code:
route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.29
where 192.168.1.29 is the IP of my android device, and 10.0.0.0/8(I know its lazy) is the IP range I want to go through tun0 on the device. This is however not working.
The only thing I need to do on a standard linux box to do this would be:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
And setup the same route command on the client but point it at the linux box instead. This currently works, but when we decide to flip the switch and use the 2 factor auth only I will not be able to make it work on a standard linux box, but 2 factor does work on android via the Junos app.
I fear I am missing something simple in Android land, please help...
Hi, I recently wrote a program in C/C++ which allows me to tunnel over ICMP (my carrier stupidly allows ICMP traffic over 3g with the right APN )
All works fine if im using it from the phone, using the NDK compiled binary.
Also works fine if im not running the tunnel from my phone and just tethering via usb/wifi/bt and running the tunnelling program on the device tethered to my s3
What I'm trying to achieve is: run the tunnelling prog on the phone, and set up some iptables rules to forward rndis0/wlan0/bt-pan to tun0 so that I can use the tunnelled connection simultaneously on the phone and on whatever other devices are tethered to the phone.
Problem is, whilst running the program on the phone, I can access all sites/ips fine, but the connection provided to the tethered devices with the iptables rules is flaky at best, and simply will not connect to some sites at all
Possibly netmask issue?
Assuming my default gateway on the phone is set to the tunnel endpoint, here are the iptables rules I am using to NAT the tetherable interfaces:
iptables -F natctrl_FORWARD
iptables -A FORWARD -o tun0 -i bt-pan -s 192.168.44.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o tun0 -i wlan0 -s 192.168.43.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o tun0 -i rndis0 -s 192.168.42.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
strangely I can ping ok, and access sites like google and facebook but most other sites will not load.
Have done tracepath so I know the packets are going through the tunnel.
Anyone able to shed any light on this?
Alternatively, could it be possible to edit the default tethering scripts on the s3 to use the tun0 device instead of rmnet0 ? Will search them and try
Going to roll my NDK executable into a shared library and make it into a paid app.
Used 10gb in 2 days on a SIM which has never and will never have credit. Also works whilst roaming!
Jamie
Issue was that the MTU of wlan0/bt-pan/rndis0 was larger than that of the tunnel, causing packets to fragment. Lowered mtu and problem solved, working beautifully now
Hello!
I have rooted device and need to prevent VPN connection traffic leak. So, in terminal I put this script.
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.43.0/24 -j ACCEPT
iptables -A INPUT -s XX.XX.XX.XX -j ACCEPT
iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT
iptables -A INPUT -s YYY.YYY.YYY.YYY-j ACCEPT
iptables -P INPUT DROP
All works good, OpenVPN connects to servers, but, in google chrome no one website open. Every time I get "You are offline"