I would like to run the command
Code:
iptables -t mangle -I POSTROUTING -o rmnet_data0 -j TTL --ttl-set 64
The command fails on the LOS 7.1.2 kernel with error: iptables: No chain/target/match by that name.
Checking the kernel for iptables TTL target support shows that it isn't present:
Code:
1|clark:/ # cat /proc/net/ip_tables_targets
HARDIDLETIMER
IDLETIMER
TRACE
NFQUEUE
NFQUEUE
NFQUEUE
NFQUEUE
NFLOG
CLASSIFY
DNAT
SNAT
CONNMARK
MARK
REJECT
MASQUERADE
ERROR
TCPMSS
TPROXY
TPROXY
REDIRECT
NETMAP
DNAT
SNAT
Is there/can someone compile a kernel with the iptables TTL target? I lack the ability to compile my own kernel.
Can some people try running
Code:
cat /proc/net/ip_tables_targets
and posting the result for their kernels?
Thanks!
Related
hi i am using the u2nl and autostart together to get everything, including internet and apps working on my evo, but i am not getting 3G speeds for some reason, even though the status bar says 3G
this is what my u2nl code looks like, i think it might be the ip addresses used in there maybe they are not the server closest to me, can someone help me optiize my speed, and also post your sample autostart.sh code?
here's mine:
Code:
#!/system/bin/sh
export PATH="$PATH:/system/bin"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A OUTPUT -o rmnet0 -p 6 ! -d 10.133.26.12 -j REDIRECT --to-port 1025
u2nl 10.133.26.12 8080 127.0.0.1 1025 >/dev/null 2>&1 &
sh -c "sleep 5;kill `ps|grep nk.bla.android.autostart|grep -v grep|awk '{print $2}'`" &
exit 0
i would like to know where those IP's come from, and if i can change them to improve performance. all help is appreciated, thanks
By the way i livein Houston.
Goal: Only allow outgoing cellular data to specific DNS servers and a specific webserver using cellular mode on rooted android device.
Android phone #1: VkWorld F1 (Chipset. MT6580) running Android 5.1
Android phone #2: HUAWEI Y560-L01 running Android 5.1
Active interfaces on Android #1 when cellular mode is on.
Code:
lo UP 127.0.0.1/8
ccmni0 UP x.x.x.x/x
Active interfaces on Android #2 when cellular mode is on.
Code:
lo UP 127.0.0.1/8
rmnet_data0 UP x.x.x.x/x
This is my current simple iptables for testing on Android #1 and #2
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 8.8.8.8 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT //DNS
-A OUTPUT -d x.x.x.x -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT //webserver
-A OUTPUT -j DROP
These iptables rules works on Android device #2 or any Android phone that has 'rmnet' interface (from my own testing).
These iptables rules DO NOT work on Android device #1 or any Android phone that has 'ccmni' interface (from my own testing)
And if I add or change in my android #1 to
Code:
-A OUTPUT -o ccmni0 -d x.x.x.x -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
it can NOT still contact the destination ip.
However if I add this line before the last -j DROP rule it works
Code:
iptables -A OUTPUT -o ccmni0 -j ACCEPT
but this allows ccmni interface to talk freely to any website and makes my dns and webserver rule pointless.
Once again:
Devices rmnet interfaces = rules works.
Devices with ccmni interfaces = rules do not work.
[EDIT/SOLVED]
I used tcpdump and wireshark to see what might have gone wrong traffic, apparently my traffic had to go through a proxy from my provider that I blocked off in iptables. Why it still works fine with rmnet interfaces I have no clue.
volleb said:
I used tcpdump and wireshark to see what might have gone wrong traffic, apparently my traffic had to go through a proxy from my provider that I blocked off in iptables. Why it still works fine with rmnet interfaces I have no clue.
Click to expand...
Click to collapse
This is because in short it uses a different way to connect and this is only on MSM chipsets see this link while rmnet is and standard android fare
I would like to run the command
Code:
iptables -t mangle -I POSTROUTING -o rmnet_data0 -j TTL --ttl-set 64
The command fails with error: iptables: No chain/target/match by that name.
Checking the kernel for iptables TTL target support shows that it isn't present.
Is there/can someone compile a kernel with the iptables TTL target? I tried to make my own kernel, but I did not succeed.
OP5, OO 4.5.10 (stock)
Thanks!
This is just a guess but maybe the Kali Nethunter kernel has it enabled? It's a kernel centered around pentesting and has all forms of packet monitoring and capturing enabled so it may work.
You could try the Official Nethunter kernel or the Unofficial one, Burgerhunter.
Nethunter Download:
https://build.nethunter.com/nightly/3.20-20170903-2143/
Burgerhunter Thread:
https://forum.xda-developers.com/oneplus-5/development/burgerhunter-t3638810
Thx, but does not support (work).
I live in a university on the edge of a city. They provide me with a free blocked internet. Every internet provider said that where I live is too far for their internet connection to reach but I can use the LTE mobile service by USB tethering to my PC. I can play games with 1 Mbps speed. But I have problems with every Ubisoft games because it said that my NAT type is on strict. I tried putting the IP of the DHCP server to the browser but it said ERR_CONNECTION_REFUSED. Does anyone have an idea how to change NAT type to open on Android USB tethering? Thank you -EDIT- My phone model is SM-E700F version 4.4.4 (rooted).My ISP is AIS.
@LOKSTED
Hi! You would need to have an static ip for your connection which usually costs some money (couple bucks a month) but I do not know any service provider who sells those ip's for a regular mobile sim although that shoud not prevent you from asking yours if they do.
You can do this by using NAT and ip fowarding it does need the option in the kernel to be activated. Simple steps are to preroute the usb tethering interface to the LTE data interface (usually rmnet_ one is VoLTE the other is data) you need to have iptables of course get yourself AFWALL+ and start from there the script is simple and a quick look online will find Raspberry Pi doing this but I can write the script if you need. A look aroung seems thaat you need to foward all private ports 50,000 - 60,000 at least in Rainbow six see this website this should work for all games theorecticly since this is all of the ports this is ofcourse in addition to the ports requested by the game. The ip address does not seem to be the problem so you can leave it alone and change it back.
A script for port fowarding
This is a script for port forwarding for gaming I do not know the ports needed for your game these are ports for rainbow six it does open most ports to be used so it should work.
You should experiment with this script to use only the least amount of ports if it does not work then delete the comments ( #) and try again. To use install AFWALL with root and when you want to play then put this script in to the custom script section
To find the name of your network tethered network connection first run this code
Code:
ifconfig -s | cut -d' ' -f1 | grep -v Iface
then do it again after the connection is made and comparing it will tell you your tethered network interface I know I should write a script for this.....
Code:
#!system/bin/sh
###################################
#
# File name gameonipt.sh
# Iptables Gaming script for Android
# Opens ports needed for Gaming on a
# tethered connection use minimaly
# By Applied Protocol
#
###################################
#
IPTABLES=system/bin/iptables
IP6TABLES=system/bin/ip6tables
## Interface Setup
# should change to your network interfaces
# Tethering Interface
INT_INT="rndis+"
# Put your local lan address from the tethered connection here
IP_INT=""
# Internet Interface
# can use wimax+ for wifi
EXT_INT="rmnet+"
## Ports to Open
# This should be adjusted to be kept to a minimum ports
# here are everything needed to make a connection
TCP_PORT="80 443 13000 13005 13200 14000 14001 14008"
UDP_PORT="3074 9103"
UDP_PORT_RANGE="10000:10099 50000:60000 49152:65535"
### INPUT Chain
# Start with New Rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IP6TABLES -F
$IP6TABLES -F -t nat
$IP6TABLES -X
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -t nat -F POSTROUTING
$IP6TABLES -F -t mangle
$IP6TABLES -t mangle -X
## Connection Tracking
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -m state --state INVALID -j DROP
$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### FOWARD Chain
## Connection Tracking
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
## Allow Selected Ports
for ip in $TCP_PORT
do
$IPTABLES -A FORWARD -i $INT_INT -o $EXT_INT -s $IP_INT -p tcp --sport $TCP_PORT -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport $TCP_PORT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -i $INT_INT -o $EXT_INT -s $IP_INT -p tcp --sport $TCP_PORT -m state --state NEW -j ACCEPT
$IP6TABLES -A FORWARD -p tcp --sport $TCP_PORT -m state --state ESTABLISHED,RELATED -j ACCEPT
done
for ip in $UDP_PORT
do
$IPTABLES -A FORWARD -i $INT_INT -o $EXT_INT -s $IP_INT -p udp --sport $UDP_PORT -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp --sport $UDP_PORT -j ACCEPT
$IP6TABLES -A FORWARD -i $INT_INT -o $EXT_INT -s $IP_INT -p udp --sport $UDP_PORT -m state --state NEW -j ACCEPT
#$IP6TABLES -A FORWARD -p udp --sport $UDP_PORT -j ACCEPT
done
for ip in $UDP_PORT_RANGE
do
$IPTABLES -A FORWARD -i $INT_INT -o $EXT_INT -s $IP_INT -p udp -m multiport --sport $UDP_PORT_RANGE -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -m multiport --sport $UDP_PORT_RANGE -j ACCEPT
$IP6TABLES -A FORWARD -i $INT_INT -o $EXT_INT -s $IP_INT-p udp -m multiport --sport $UDP_PORT_RANGE -m state --state NEW -j ACCEPT
#$IP6TABLES -A FORWARD -p udp -m multiport --sport $UDP_PORT_RANGE -j ACCEPT
done
## NAT Table
$IPTABLES -t nat -A POSTROUTING -o $EXT_INT -j MASQUERADE
## Turn on IP fowarding
echo 1 > /proc/sys/net/ipv4/ip_forward
exit
### EOF ###
This goes without saying that this is a really open script and should be user (even after the ports needed are selected) only for select times afterward turn off your tethered connection. Any port that you do not need delete and if no ports of that type are needed comment out then bottom with that request.
GAME ON
Hello I'm trying to redirect my web traffic mobile data with afwall using iptabes startup script like so
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
And this dose not work? I'm rooted and dnscrypt- proxy using magisk module, please help
And yes dnscrypt-proxy is running before I try this??
I also have the DNS privacy in Android 9 turned off and in afwall prefences I have DNS lookups via netd turned off ???
Look at the download section from magiskmanager
There is a full documentation
Second screen shot
OK I see the commands to place in afwall but there's no way to copy and past them, I have to type that all out manually??
OK so I added the script to afwall and
iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
Now I get unable to resolve in any app untill I remove the script
I'm using the note 7 with syberiaOS ROM could this be my issue, or is there a terminal command to see ruining DNS ports??
And yes I do have live severs in dnscrypt still
notreal456789 said:
OK so I added the script to afwall and
iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
Now I get unable to resolve in any app untill I remove the script
I'm using the note 7 with syberiaOS ROM could this be my issue, or is there a terminal command to see ruining DNS ports??
And yes I do have live severs in dnscrypt still
Click to expand...
Click to collapse
Is a German page, but maybe with Google it will be helpful.
https://www.kuketz-blog.de/afwall-wie-ich-persoenlich-die-android-firewall-nutze/
Sorry I don't use afwall
Found this
# Set a specific DNS-Server (dismail.de AdBlocking DNS-Server) for all networks except home WiFi (192.168.150.0/24)
$IPTABLES -t nat -I OUTPUT ! -s 192.168.150.0/24 -p tcp --dport 53 -j DNAT --to-destination 80.241.218.68:53
$IPTABLES -t nat -I OUTPUT ! -s 192.168.150.0/24 -p udp --dport 53 -j DNAT --to-destination 80.241.218.68:53
But i need this to work for wifi as well?? Any help would be nice
What are other methods that people use to run dnscrypt-proxy? I have the server ruining just can't connect
Ok so here's the scoop using dnscrypt-proxy Android 9
Gone
still honestly wish I could just use Afwall or a edit like resolve.config, guess I'll have to wait for updates