Hello!
First of all: Thank you daveba for your great work! ( http://forum.xda-developers.com/showthread.php?t=766569 ).
I've got a Desire Z and installed Cyanogenmod 6.1.1.
With the usual settings of redsocks the packets were send again and again to it. So I had to insert the iptables rule
iptables -t nat -I OUTPUT 1 -d <my proxy ip> -p tcp --dport 80 -j ACCEPT
to send the packets to my proxy directly to it.
(My proxy listens to port 80/tcp only no matter which protocol (http,https) )
After that all ( browser, Google Market, youtube... ) apps but Google Maps worked.
With the compiled transproxy from http://transproxy.sourceforge.net all but the downloads in Google Market worked. (I considered the ports 80, 443 and 5228. )
Has someone the same problems with these tools and knows how to fix it?
Thx!
Related
Hello all,
I lost a day of my life, used FF with over 80 open tabs, aroung 2,5gb ram...to find a solution to creat a ssh tunnel....nothing worked
In windows on my work laptop i had only to run(i also configured my .ssh/config file with my work proxy ip):
ssh - D 1080 -p 1822 [email protected]
Then point my firefox network connection to my localhost socks 5 proxy on port 1080
And i would surf the net protected or not bloked by company firewall.
I saw on the market sshtunnel i tried it...it connects but when i check the outgoing ip its still the carriers ip and not my ssh server.
I as it doesnt gives any errors i dont know where it fails... the iptable rules for global connections?
Can someone help me out please?
(Dropbear doesnt has -D and i couldnt find how to do dynamic port fw with this ssh client)
Im on Android 4.2.2
Sent from my SGS2 on SB4.2.2
when i do:
iptables -vL -t nat
i see some errors, or warning:
getprotobynumber(int)(3) is not implemented on Android
i tried setting the iptable rules manually, but with no luck
maybe someone can tell me what should the rules be like:
i tried:
iptables -t nat -A OUTPUT -d 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,127.0.0.1 -j ACCEPT
iptables -t nat -A OUTPUT -p 6 --dport 80 -j DNAT --to 127.0.0.1:1080
i tried: connectbot+proxydroid
connected on ssh to: [email protected]
added Dynamic port filtering to: 8123
configured proxydroid as socks, localhost on port 8123
no connection could be made from any browser (default one, or opera)
so, ill try to installing firefox mobile with proxy mobile addon, to see that the socks proxy created by the ssh tunnel is working, and then it means that the iptables rules from proxydroid aren't ok ... or something
im thinking that on PC at work as i use a proxy to get out on internet, i had to configure SSH to use that proxy to be able create the tunnel
after that i configured firefox to use that tunnel/socks proxy
on my mobile phone i have the same thing with my mobile 3G carrier, as it uses a proxy in the APN settings... dont i have to configure somehow the ssh also? or set some iptable rule to exclude the ssh connection from redirecting to localhost:8123 ?
PS: my iptables version is 1.4.11.1
i tried configuring proxydroid to my 3G IP and the 8123 port, still no luck
May want to change localhost port
System Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private
Ports (49152-65535)
I would change from a User Port (8123) to a Dynamic port like 56001. That may fix your problem.
I have this script running on boot and cycling on a timer to make my wifi hotspot send data through a PIA VPN. PIA will assign a single port allowed to be used for forwarding and I now want to forward that assigned port to a PC connected to the wifi hotspot. The PC's local IP address is 192.168.1.252 (hotspot assigned but I can set it static) and the port number is 40212. Is there a way to add that routing to this script?
while sleep 30; do
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 8.8.8.8
ip rule add from 192.168.1.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.1.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
Hi
Please sign up on forums and post in general Q/A
http://forum.xda-developers.com/general/help
Though personally I think you can find better information on Linux Admin sites.
Probably try using man pages for iptables ?
Good day !
When clients connect to Android Tethering they get IPs of the private Tethering network. There is plenty of info available on how to NAT/Masquerade the WiFi tethering clients (for example into a VPN), but I haven't managed to find how should I change or re-write IPTABLES and ROUTES in order to avoid natting/masquerading and just make ordinary routing from the tethered devices IP to the other networks (or a VPN).
Example: Local Tether client 1 gets : 192.168.43.1/24 Local Tether client 2 gets : 192.168.43.2/24 ... and at the VPN interface we have the 10.1.0.0/24 Network. Disabling NAT and adding the routes in an ordinary router is easy, but I need help to do it on my Android device. Thank you. Peter
HI Peter
I found this code from my friend. Just save the code with text editor like jota+ (from Google play store).
This code will forward all traffic from WiFi tethered clients to vpn. Just run via terminal emulator.
Code:
#!/system/bin/sh
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
ndrancs said:
HI Peter
I found this code from my friend. Just save the code with text editor like jota+ (from Google play store).
This code will forward all traffic from WiFi tethered clients to vpn. Just run via terminal emulator.
Code:
#!/system/bin/sh
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
Click to expand...
Click to collapse
Thank you very much NDrancs. Are you sure its just routing the packets with their original IP ? Its just because on the fourth line I see a Masquerade. I will check. Thank you so much for your time.
Peter
Slashdot is running a story about how lots of Android apps listen on ports for incoming connections.
https://it.slashdot.org/story/17/04/28/2343222/open-ports-create-backdoors-in-millions-of-smartphones
I was quite surprised by this as I thought virtually all Android apps would be outbound only and wouldn't need to create a listening socket, unless a genuine server (SSH/FTP/HTTP etc). But I ran an "netstat -apn | grep -i listen " on my phone, and to my surprise my mobile provider VoIP app is listening on a port (again I thought it would be outbound only). And worse I can happily connect to it from my WiFi.
I added iptables rules to block inbound connections but allow outbound unrestricted. The VoIP app seems happy enough.
But also surprised (for me this is LineageOS, but I assume common to all androids), that the default iptables rules don't block inbound connections, with an API allowing apps to request inbound on specific ports or something.
My iptables rules are below (covering v6 too):
Code:
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j DROP
ip6tables -A INPUT -p icmp -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j DROP
I had a further look at one of the apps I have listening. I picked the popular Plex client app. Here is the netstat output (it also listens on a number of loopback ports but no big deal there):
tcp6 0 0 :::44411 :::* LISTEN 13084/com.plexapp.android
So listens on IPv4 and IPv6. Telneting to this port and it seems to have some sort of webserver listening on this:
Escape character is '^]'.
get /
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain; charset=UTF-8
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1209600
Failure: 500 Internal Server Error
Connection closed by foreign host.
Not sure why a client app like this needs to listen really.
I have slightly modified my iptables rules to allow IPv6 SLAAC to work properly and to allow SSH (as an example allowed incoming service) in from my local IP addresses (and IPv6 local ULA addresses) on WiFi.
Code:
#!/system/bin/sh
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 33791 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -p udp --dport 33791 -j ACCEPT
ip6tables -A INPUT -s fda1:12B0:97A1::/64 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -j DROP
Hi everyone I've been looking for a week and haven't found anything.
Is it possible, on a rooted Android 10, to perform port forwarding so that the incoming port 443 on my public ip is mapped to port 8080 on my Android.
Let me explain: I have a domain name pointing to my Android which hosts an https (ssl) server (listening on port 8080 ). So to display my site I need to type monsite.com:8080. What I'd like is to be able to use monsite.com (without a specific port) and for everything that comes in via port 443 (https) to be routed to port 8080 on my rooted Android.
Can IPTABLE do this?
In the absence of a turnkey answer, do you have an avenue of research? I did find some articles talking about apps like "port forwarder" but they no longer exist. I've also tried apache listening directly to 443 via termux but I get a socket not available error and it refuses to start.
I'm running out of ideas
Good day
l2ol3
l2ol3
One week + few hours to find a solution.
Code:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
seems to work.
sorry for the inconvénient.