Download a terminal client, e.g. ConnectBot and connect to your local shell.
Enter `su` to become root. (Double check with whoami afterwards).
Enable wifi tethering and ensure your data connection is working (connect to VPN)
Run `netcfg` and note your interface names (typically tun0 and wlan0 (ignore m.wlan0 or similar, only take the one with a real mac address), as is on my SGSII)
Double check the subnet for your wlan0 device and enter the following commands:
iptables -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE -t nat
(setup a postrouting entry for the tethered devices subnet, implementing NAT)
iptables -A FORWARD -j ACCEPT -i wlan0 -o tun0
forward packets from tethered devices across the tunnel
iptables -A FORWARD -j ACCEPT -i tun0 -o wlan0
forward packets from the tunnel to the tethered devices
Note, because you are using NAT, you will need to configure port forwards on your Android device to be able to run servers etc on tethered devices. Unlikely you'll need to worry about that though. Feedback if it worked or not. Posting this now from my home IP thanks to OpenVPN for Android and these iptable rules!
deed02392 said:
Download a terminal client, e.g. ConnectBot and connect to your local shell.
Enter `su` to become root. (Double check with whoami afterwards).
Enable wifi tethering and ensure your data connection is working (connect to VPN)
Run `netcfg` and note your interface names (typically tun0 and wlan0 (ignore m.wlan0 or similar, only take the one with a real mac address), as is on my SGSII)
Double check the subnet for your wlan0 device and enter the following commands:
iptables -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE -t nat
(setup a postrouting entry for the tethered devices subnet, implementing NAT)
iptables -A FORWARD -j ACCEPT -i wlan0 -o tun0
forward packets from tethered devices across the tunnel
iptables -A FORWARD -j ACCEPT -i tun0 -o wlan0
forward packets from the tunnel to the tethered devices
Note, because you are using NAT, you will need to configure port forwards on your Android device to be able to run servers etc on tethered devices. Unlikely you'll need to worry about that though. Feedback if it worked or not. Posting this now from my home IP thanks to OpenVPN for Android and these iptable rules!
Click to expand...
Click to collapse
I'm complete newbie here, just want to ask, is this change permanent? Can I revert back to the default iptables? How to forward using usb tethering?
quick response
deed02392 said:
Download a terminal client, e.g. ConnectBot and connect to your local shell.
Enter `su` to become root. (Double check with whoami afterwards).
Enable wifi tethering and ensure your data connection is working (connect to VPN)
Run `netcfg` and note your interface names (typically tun0 and wlan0 (ignore m.wlan0 or similar, only take the one with a real mac address), as is on my SGSII)
Double check the subnet for your wlan0 device and enter the following commands:
iptables -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE -t nat
(setup a postrouting entry for the tethered devices subnet, implementing NAT)
iptables -A FORWARD -j ACCEPT -i wlan0 -o tun0
forward packets from tethered devices across the tunnel
iptables -A FORWARD -j ACCEPT -i tun0 -o wlan0
forward packets from the tunnel to the tethered devices
Note, because you are using NAT, you will need to configure port forwards on your Android device to be able to run servers etc on tethered devices. Unlikely you'll need to worry about that though. Feedback if it worked or not. Posting this now from my home IP thanks to OpenVPN for Android and these iptable rules!
Click to expand...
Click to collapse
Hi there...
I'm a total rookie, I just follow instructions carefully.
I've been searching for a solution to this problem on my s3mini
Rooted.
I used Terminal Emulator, still my wifi connected laptop didn't connect to the internet. My openvpn log showed something like routes adding and stuff
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
still didn't work
Then I used ConnectBot to retry the same exact steps, still nothing happened
On my phone, i think the subnet is 192.168.43.1/24. Do you think that could be a reason it did not work?
I've tried so many options so far for this issue.
I really hope you come back to this thread.
I've read dozens of these threads and pages on making this work and I can't do it I just can't figure it out, is there something different on 6.0 Marshmallow I know there's no netcfg I've been using ip link show
HELP
I tried this solution to hide my tether usage from ThreeUK. While it did work I was having some evil DNS issues. I could download at a few mb/s but then would take 180 seconds to load some basic pages etc.
However, thinking upon it I realised you don't even need to use a VPN client to hide the usage, just use the same method as OP posted but send all traffic via wlan0.
Worked perfectly all week for me, streamed a good 5gb of TV and if I need a VPN I can iniate the VPN on the end device.
---------- Post added at 03:45 PM ---------- Previous post was at 03:43 PM ----------
Works with USB Tethering too, and bluetooth
Obviously change IP/Adapter names etc.
Pantho86 said:
However, thinking upon it I realised you don't even need to use a VPN client to hide the usage, just use the same method as OP posted but send all traffic via wlan0.
Click to expand...
Click to collapse
Apologies for resurrecting an old thread, but is this still working for you? Would it be possible for you to provide some instructions as it isn't clear what commands you've used.
Apologies but I cannot test it anymore as I'm not wanting to root my Nexus device, I enjoy using Android Pay & My Banking app too much.
Now if I'm remembering correctly I ran as :
Code:
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev rmnet0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
The only issues I was having was when using dual-3g connections, there are 2 connections outgoing in those scenarios and sometimes Three will say "Tether limit hit", at that point just turn flight mode off/on to toggle the connection and rerun the routing.
Read the thread I linked and poke at it for a while, you should be able to get it working. This was the only way I managed to hide wifi tether usage. USB tethering for Windows & Unix is easy enough to hide with free apps, but for a chromebook or other such devices it's trickier and this is the only way.
(I had to remove the link, XDA blocked it... google wifi tether iptables and it's the thread on digiex)
OK that's great, thanks.
Pantho86 said:
I tried this solution to hide my tether usage from ThreeUK. While it did work I was having some evil DNS issues. I could download at a few mb/s but then would take 180 seconds to load some basic pages etc.
However, thinking upon it I realised you don't even need to use a VPN client to hide the usage, just use the same method as OP posted but send all traffic via wlan0.
Worked perfectly all week for me, streamed a good 5gb of TV and if I need a VPN I can iniate the VPN on the end device.
---------- Post added at 03:45 PM ---------- Previous post was at 03:43 PM ----------
Works with USB Tethering too, and bluetooth
Obviously change IP/Adapter names etc.
Click to expand...
Click to collapse
Hey... I was just wondering how you modified the original commands to get tethering to work undetected without VPN. I've been trying to figure this out for weeks!
Hi All,
I have a stupid Juniper VPN device at work which does not support 64 bit linux clients using netconnect. I have found ways around this previously, but now we are setting up 2 factor auth which throws a lot of javascript into the mix, making the scripts I used pretty much obsolete. The Junos pulse client works well for android, so I am thinking I want to use an android device as a router. Connecting to the VPN and using wifi tethering does not work, same with USB tethering does not work, and those are not exactly what I want anyway.
So basically I want to be able to connect my android device to my wifi here at home, connect to the VPN on it, run a script to do my setup on the Android device, lastly add a route on my client pc to tunnel through the android device. here is what I tried so far on the device:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
ip rule add from all to 10.0.0.0/8 fwmark 0x3c lookup 60
and on the client PC:
Code:
route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.29
where 192.168.1.29 is the IP of my android device, and 10.0.0.0/8(I know its lazy) is the IP range I want to go through tun0 on the device. This is however not working.
The only thing I need to do on a standard linux box to do this would be:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
And setup the same route command on the client but point it at the linux box instead. This currently works, but when we decide to flip the switch and use the 2 factor auth only I will not be able to make it work on a standard linux box, but 2 factor does work on android via the Junos app.
I fear I am missing something simple in Android land, please help...
Now before I get flamed for a duplicate post, I have already searched this topic. I found 2 threads here, one of which has a few different methods, and a few others elsewhere on the net. I've tried all of them, literally. Every guide I could find relating to passing USB Tethered traffic through my phone's OpenVPN connection. I figure I must be doing something wrong somewhere in my iptables.
Some info about my setup:
Phone: Samsung Galaxy S5 - Rooted via Towelroot, SuperUser updated, RootCheck confirmed rooted
Interfaces from 'netcfg': wifi = wlan0, usb tether = rndis0, Cellular data = rmnet0, OpenVPN tunnel = tun0
VPN network = 10.0.1.0/24
USB Tethered network = 192.168.42.0/24
Wifi Tethered network = 192.168.43.0/24
LAN network (on other side of VPN) = 10.0.0.0/8
Firewall/OpenVPN server = pfSense
OS of Client attempting to connect through VPN = Windows 7
I am trying to use my phone as an OpenVPN gateway because I require a connection to my home network, and I have insufficient permission to install the OpenVPN client on the machine I am trying to connect back home with. Even though I cannot install the OpenVPN client/Tun/tap network interface, it does allow my phone's rndis interface to be installed.
And this is what I have tried so far:
iptables -- flush
iptables -A POSTROUTING -o tun0 -j MASQUERADE -t nat
iptables -A FORWARD -i tun0 -o rndis0 -m state --state RELATED,ESTABLISHED -j RETURN
iptables -A FORWARD -i rndis0 -o tun0 -m state --state INVALID -j DROP
iptables -A FORWARD -i rndis0 -o tun0 -j RETURN
And This:
iptables --flush
iptables -A POSTROUTING -s 192.168.42.0/24 -j MASQUERADE -t nat
iptables -A FORWARD -j ACCEPT -i rndis0 -o tun0
iptables -A FORWARD -j ACCEPT -i tun0 -o rndis0
Neither one seems to work. I tried the former earlier and couldnt tell if it worked or just screwed everything up, as I couldnt connect to anything on my home LAN or the internet.
Any help is greatly appreciated. I don't know if I need to add a rule on the pfSense firewall to handle traffic from 192.168.42.0/24 or not, I havn't seen that mentioned anywhere.
Hey, I know this is a little old, but did you get anywhere?
I'm too trying to get traffic from the tethered device to be routed via the phone's VPN connection.
Thanks
Hi, I recently wrote a program in C/C++ which allows me to tunnel over ICMP (my carrier stupidly allows ICMP traffic over 3g with the right APN )
All works fine if im using it from the phone, using the NDK compiled binary.
Also works fine if im not running the tunnel from my phone and just tethering via usb/wifi/bt and running the tunnelling program on the device tethered to my s3
What I'm trying to achieve is: run the tunnelling prog on the phone, and set up some iptables rules to forward rndis0/wlan0/bt-pan to tun0 so that I can use the tunnelled connection simultaneously on the phone and on whatever other devices are tethered to the phone.
Problem is, whilst running the program on the phone, I can access all sites/ips fine, but the connection provided to the tethered devices with the iptables rules is flaky at best, and simply will not connect to some sites at all
Possibly netmask issue?
Assuming my default gateway on the phone is set to the tunnel endpoint, here are the iptables rules I am using to NAT the tetherable interfaces:
iptables -F natctrl_FORWARD
iptables -A FORWARD -o tun0 -i bt-pan -s 192.168.44.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o tun0 -i wlan0 -s 192.168.43.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o tun0 -i rndis0 -s 192.168.42.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
strangely I can ping ok, and access sites like google and facebook but most other sites will not load.
Have done tracepath so I know the packets are going through the tunnel.
Anyone able to shed any light on this?
Alternatively, could it be possible to edit the default tethering scripts on the s3 to use the tun0 device instead of rmnet0 ? Will search them and try
Going to roll my NDK executable into a shared library and make it into a paid app.
Used 10gb in 2 days on a SIM which has never and will never have credit. Also works whilst roaming!
Jamie
Issue was that the MTU of wlan0/bt-pan/rndis0 was larger than that of the tunnel, causing packets to fragment. Lowered mtu and problem solved, working beautifully now
Hello together,
I have a question about iptables in android. I have some rootet smartphones and I like to block some ip address ranges
for wifi, mobil, and vpn. I dont like to have a app for this, because the phones are for a company and the user should not deinstall the firewall apps like afwall and so on.
So is there a way to write a bash file maybe and start it also after a reboot like in linux ?
Hope someone can help me.
thanks ...
micky1067
Custom iptables rules
This assumes that you have iptables in your kernel (netfilter). You can write a bash script and put it into init to load at startup however in android the starting of network devices zero all the rules so that would also need to be changed, in addition a program like AFWall uses iptables to run so you would need to make sure that you do not conflict with them. Any other firewall that does not use Iptables will only be on top of this. The way to do this is to make your own set of rules (chains) which are not touched by the other programs and load them in first. IPTables chains work that it prosesses them in order and if it is matched executes the rule and if not continues so as long as there is no rule to block everything the chain only adds. For example to block local addresses on wifi facebook on 4G and VPN on both do this
1. $IPTABLES -N mychain
2. $IPTABLES -A mychain -i wimax+ -d 10.0.0.0/8 -j DROP
3. $IPTABLES -A mychain -i wimax+ -m iprange --src-range 172.16.0.0-172.31.0.0 -j DROP
4. $IPTABLES -A mychain -i rmnet+ -s 185.60.216.35 -j DROP
5. $IPTABLES -A mychain -i rmnet+ -d 157.240.20.35 -j DROP
6. $IPTABLES -A mychain -m multiport 500,1194 -s -j REJECT --reject-with tcp-reset
7. $IPTABLES -A mychain -m multiport 500,1194 -d -j REJECT --reject-with tcp-reset
8. $IPTABLES -I mychain
Explanation: 1. makes a new chain or set of rules 2-3 adds rules to the chain using interface (-i) (wifi) one rule for destination (-d) another for source (-s) to drop 4-5 adds rules to the chain using interface (-i) (4g) one rule for destination (-d) and one rule for source (-s) to drop (blocks only one of facebook addresses) 6-7 adds rules for openVPN protocols (-m multiport) to reject with a reset package 8. inserts the chain to be used in IPTables first.
You can also use REJECT instead of DROP but that is outside the scope of this post when and if to use DROP /REJECT. You can also specify your internet interfaces instead of using the generic ones.
for more information see IPTables man pages and tutorial and the wiki of AFWALL