Hi,
My Galaxy S4 i9505 is on Android 4.3 stock rooted.
I would like to know if iptables is working before updating to android 4.4.2 stock.
Can someone do this test on his Galaxy on 4.4.2 stock rooted ?
Install Android Terminal Emulator and enable access point in network settings
In terminal :
HTML:
su
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.43.1:8980
This is risk-free, reboot your phone and iptables rules are deleted :cyclops:
And tell me if there is an error message like "getprotobyname is not implemented on Android" (if nothing is displayed it's ok)
Thanks !
Goal: Only allow outgoing cellular data to specific DNS servers and a specific webserver using cellular mode on rooted android device.
Android phone #1: VkWorld F1 (Chipset. MT6580) running Android 5.1
Android phone #2: HUAWEI Y560-L01 running Android 5.1
Active interfaces on Android #1 when cellular mode is on.
Code:
lo UP 127.0.0.1/8
ccmni0 UP x.x.x.x/x
Active interfaces on Android #2 when cellular mode is on.
Code:
lo UP 127.0.0.1/8
rmnet_data0 UP x.x.x.x/x
This is my current simple iptables for testing on Android #1 and #2
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 8.8.8.8 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT //DNS
-A OUTPUT -d x.x.x.x -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT //webserver
-A OUTPUT -j DROP
These iptables rules works on Android device #2 or any Android phone that has 'rmnet' interface (from my own testing).
These iptables rules DO NOT work on Android device #1 or any Android phone that has 'ccmni' interface (from my own testing)
And if I add or change in my android #1 to
Code:
-A OUTPUT -o ccmni0 -d x.x.x.x -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
it can NOT still contact the destination ip.
However if I add this line before the last -j DROP rule it works
Code:
iptables -A OUTPUT -o ccmni0 -j ACCEPT
but this allows ccmni interface to talk freely to any website and makes my dns and webserver rule pointless.
Once again:
Devices rmnet interfaces = rules works.
Devices with ccmni interfaces = rules do not work.
[EDIT/SOLVED]
I used tcpdump and wireshark to see what might have gone wrong traffic, apparently my traffic had to go through a proxy from my provider that I blocked off in iptables. Why it still works fine with rmnet interfaces I have no clue.
volleb said:
I used tcpdump and wireshark to see what might have gone wrong traffic, apparently my traffic had to go through a proxy from my provider that I blocked off in iptables. Why it still works fine with rmnet interfaces I have no clue.
Click to expand...
Click to collapse
This is because in short it uses a different way to connect and this is only on MSM chipsets see this link while rmnet is and standard android fare
I would like to run the command
Code:
iptables -t mangle -I POSTROUTING -o rmnet_data0 -j TTL --ttl-set 64
The command fails on the LOS 7.1.2 kernel with error: iptables: No chain/target/match by that name.
Checking the kernel for iptables TTL target support shows that it isn't present:
Code:
1|clark:/ # cat /proc/net/ip_tables_targets
HARDIDLETIMER
IDLETIMER
TRACE
NFQUEUE
NFQUEUE
NFQUEUE
NFQUEUE
NFLOG
CLASSIFY
DNAT
SNAT
CONNMARK
MARK
REJECT
MASQUERADE
ERROR
TCPMSS
TPROXY
TPROXY
REDIRECT
NETMAP
DNAT
SNAT
Is there/can someone compile a kernel with the iptables TTL target? I lack the ability to compile my own kernel.
Can some people try running
Code:
cat /proc/net/ip_tables_targets
and posting the result for their kernels?
Thanks!
Hello I'm trying to redirect my web traffic mobile data with afwall using iptabes startup script like so
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
And this dose not work? I'm rooted and dnscrypt- proxy using magisk module, please help
And yes dnscrypt-proxy is running before I try this??
I also have the DNS privacy in Android 9 turned off and in afwall prefences I have DNS lookups via netd turned off ???
Look at the download section from magiskmanager
There is a full documentation
Second screen shot
OK I see the commands to place in afwall but there's no way to copy and past them, I have to type that all out manually??
OK so I added the script to afwall and
iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
Now I get unable to resolve in any app untill I remove the script
I'm using the note 7 with syberiaOS ROM could this be my issue, or is there a terminal command to see ruining DNS ports??
And yes I do have live severs in dnscrypt still
notreal456789 said:
OK so I added the script to afwall and
iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
Now I get unable to resolve in any app untill I remove the script
I'm using the note 7 with syberiaOS ROM could this be my issue, or is there a terminal command to see ruining DNS ports??
And yes I do have live severs in dnscrypt still
Click to expand...
Click to collapse
Is a German page, but maybe with Google it will be helpful.
https://www.kuketz-blog.de/afwall-wie-ich-persoenlich-die-android-firewall-nutze/
Sorry I don't use afwall
Found this
# Set a specific DNS-Server (dismail.de AdBlocking DNS-Server) for all networks except home WiFi (192.168.150.0/24)
$IPTABLES -t nat -I OUTPUT ! -s 192.168.150.0/24 -p tcp --dport 53 -j DNAT --to-destination 80.241.218.68:53
$IPTABLES -t nat -I OUTPUT ! -s 192.168.150.0/24 -p udp --dport 53 -j DNAT --to-destination 80.241.218.68:53
But i need this to work for wifi as well?? Any help would be nice
What are other methods that people use to run dnscrypt-proxy? I have the server ruining just can't connect
Ok so here's the scoop using dnscrypt-proxy Android 9
Gone
still honestly wish I could just use Afwall or a edit like resolve.config, guess I'll have to wait for updates
Hi guys,
I've debian installed on android MTK based phone using Linux Deploy app.
As you may know the debian is actually using the device kernel.
In my case it is 3.18 kernel.
That doesn't matter actually you could try arptables with termux or whatever you wish, but I can't use it !?
It is nft based arptables version 1.8.2 and if I try
arptables -I IN -s 192.168.0.10 -j DROP
Segmentation fault
If I try :
arptables -A IN -s 192.168.0.10 -j DROP
arptables: Invalid argument
Basically the -A gives invalid argument always and -I gives Segmentation fault no matter the command.
If I try:
arptables -L
arptables v1.8.2 (nf_tables): TABLE_ADD failed (Invalid argument): table filter
iptables-legacy works but I want specifically arptables because I need it to alter MAC addresses.
There must be already a working process as they are available at /proc/net/arp.
Anyone knows how to use arptables (nft based) ?
Thanks