Hello,
Recently bought an android phone and I decided to register on XDA as it seems to be full of helpful members Thanks for this forum.
I have installed Droidwall on my phone running stock ICS. Droidwall does its job by allowing or denying application connection, so basically it allow an app to connect everywhere on the web or deny it. There are 2 modes : balck and white list. I am using white list meaning everything is reject exept the apps I have ticked (3g,wifi).
What I am trying to achieve is configuring Droidwall to allow application to connect only where I want to (specific IP or IP range). A simple example would be the inbuilt messaging application. It effectively needs to connect to internet for MMS but not the whole WEB, simply to my carrier. This will prevent data leakage from the application that ask abusives permissions for example.
The good thing is that Droidwall allow custom scripts so we can add rules to the iptables. Unfortunately I did not find any relevant example on XDA nor elsewhere.
I only found :
https://code.google.com/p/droidwall/wiki/CustomScripts
http://forum.xda-developers.com/showthread.php?t=1283162
I tried without luck :
Code:
$iptables -A droidwall -d xxx.xxx.xxx.xxx -m owner --uid-owner 10092 -j ACCEPT
or
$iptables -A "droidwall" -destination "xxx.xxx.xxx.xxx". -m owner --uid-owner 10092 -j ACCEPT
10092 is my application ID.
xxx.xxx.xxx.xxx the ip where I only want this application to connect to.
Any help would be greatly appreciated and could server for others
Thank you even for reading this entirely post.
I have ConnectBot configured to tunnel to a remote machine and the appropriate ports forwarded to access several services on that machine. As I understand it I further need a proxy layer to pass traffic to ConnectBot locally. I currently use proxydroid for this purpose. It worked the first time I configured it and I only recently found something about it I do not like and went in search of alternative proxy apps that might behave in the way I need.
The goal is to be able to write a Tasker sequence that connects the tunnel (completed this portion) and then activates the proxy. Unfortunately there is not automated way that I can determine to toggle proxydroid active/inactive. The interface, AFAICT, requires manual interaction in order to turn it on and off. proxydroid does have an option to automatically connect in the presence of certain networks but that it almost entirely useless to me, in fact, it would be better if it could connect when a particular network is NOT present.
Anyhow, in my search for alternative proxies I discovered a few apps that have some serious potential but hardly work:
Auto Proxy (not to be confused with AutoProxy): Is free, has amazing options for autoconnecting based on IP strings (which would be super and not involve Tasker at all) and has some of the more unique features. Unfortunately this proxy does not work in the least. I may be doing it wrong but it should be kept in mind that I can easily use proxydroid so the settigns are a known factor.
AutoProxy Lite: Is free, has fairly limited options and requires the paid version to autoconnect but even then autoconnection appears to be based on network presence which as I have mentioned is useless. This one I can get to work although I have to enter the necessary ports in the forwarding section which is really strange to me. The port forwarding should be happening at the tunnel not at the application layer but whatever if it works. The interface leaves much to desired, options are extremely limited and I just don't get the warm fuzzies about using the app. Using the free version will result in nag screens which will trip up any automated use.
Sandroproxy: Is free, appears to be fairly configurable and would be easy to automate with Tasker. Unfortunately this proxy doesn't work at all either. I appreciate the direct iptables output this one offers.
iptables, yes, now that we are talking about iptables I have some questions. I have a passing understanding of iptables/ipchains and can parse an iptables stack and can do some mediocre manual entry into one. However, regardless of which proxy I activate a listing with "iptables -L" always indicates a stock iptables stack. I've read that kernel level support must be enabled for iptables to work which would explain the failure of the 2 apps that don't work at all and the unchanging iptables list output. I'm using CleanKernel which is stock with some CPU frequency change allowance and some optimizations but nothing added outside stock. So, does a stock GS3 kernel support iptables/netfilter? Are the working apps using a method outside iptables? I suspect my iptables works fine but I'm missing something about how to get appropriate listing from it.
What the hell is keeping the other apps from working?
Any help is appreciated even if it input on passing startup info to proxydroid which "just works" 100% of the time.
Hi,
As far I can understand you have tunnel from android to machine and you want that some application use it.
So you probably want to redirect some android port to android tunnel port.
Something like this one:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
This will redirect all tcp that process (uid-owner) wants to make to destination port 80 to android port 8009.
You will see iptables NAT table with:
iptables -t nat -L
And you need proper version of iptables (iptables -V). 1.4 or higher should work with redirection.
You don't need SandroProxy to achive that.
iptables v1.4.11.1 check
netstat -tulnp | grep 8080 verifies ConnectBot listening on 8080 check
(why simply appending :8080 to the address IP doesn't hit CB without proxying it there was initially confusing but below i discuss the socks proxy)
(note, establishing proxydroid on any port that CB is forwarding will result in xxx.xxx.xxx.xxx:$port being forwarded through the tunnel so long as $port is in CB's config to forward since proxydroid is currently configured as a global proxy)
I tried a few variations of your supplied iptables append string with no positive results which is fitting with the below discussion about no socks proxy in place.
Armed with the knowledge that there is more than one table and I was simply listing the filtering table I fired up proxydroid and listed the NAT table and found all traffic redirected to port 8123. Netstat confirmed redsocks listening on port 8123. So, this leads me to believe that the missing element in simply redirecting traffic to port 8080 or any other tunneled port is a socks5 proxy.
I am currently chewing through this link: http://przemoc.net/tips/linux#making_socks_proxy_transparent with the intent of leveraging iptables and redsocks to perform the needed redirects manually possibly switched on and off with shell scripts executed by Tasker (although, if i can successfully configure to redirect based on destination ip/address then, for my putposes the only automation required is that which I have already achieved; establishing and shutting down the tunnel.
Any further insight you have to the above ends is greatly appreciated and I thank you for your input to date.
SandroBSupp said:
Hi,
As far I can understand you have tunnel from android to machine and you want that some application use it.
So you probably want to redirect some android port to android tunnel port.
Something like this one:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
This will redirect all tcp that process (uid-owner) wants to make to destination port 80 to android port 8009.
You will see iptables NAT table with:
iptables -t nat -L
And you need proper version of iptables (iptables -V). 1.4 or higher should work with redirection.
You don't need SandroProxy to achive that.
Click to expand...
Click to collapse
I will try with some simple Apache/ConnectBot/telnet configuration and let you know.
I tested and it works.
How I set up enviroment:
1. PC with apache running on port 80. Tested with telnet localhost 80 and GET<ENTER> that some response is shown.
2. android with connectbot port forwarding from android localhost 8100 to PC port 80. Tested with android telnet localhost 8100.
3. find out app id of browser on android with ps command and used same id in iptables rule
iptables -t nat -A OUTPUT -m owner --uid-owner app_4 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
4. checked iptables rules that shows redirection
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere owner UID match app_4 tcp dpt:www to:127.0.0.1:8100
5. Open browser with http://www.google.com url. It should show default page on my PC apache server instead of google first page.
Your environment seems optimal for making this work. And, maybe I need to reevaluate my remote end environment.
Currently the ssh daemon operates on a server machine that also includes a socks5 proxy for allowing unrestricted and encrypted access from any location. The service interfaces I wish to access remotely, however, reside on a separate machine on the same network. This means that the IPort has to pass unmolested through the tunnel. The socks5 proxy on the sshd machine is irrelevant to this process, it should be noted. However, as I understand it, the port being forwarded through the tunnel does have to be a dynamic port in order to appropriately reach the second PC. Dynamically forwarded ports are handled with a socks protocol in ConnectBot.
So my environment is as follows
192.168.1.101 serves sshd on port 22.
192.168.1.100 serves interfaces on ports 2100, 8080, 80801 and 8082.
From the android device (S3) I expect to enter the address 192.168.1.100:8080 into a browser and have the related service interface be accessed remotely. This is exactly what occurs with the appropriate ports forwarded from ConnectBot and using proxydroid as a global proxy or even as a proxy tied directly to the app similar to your iptables string that matches the owner application. It should be noted that since the port is dynamic it really only requires ConnectBot to have a single port forwarded and for the redirection to jump to that port regardless of the originating port (say, 8080 or 8081 or 2100) because the originating port passes the tunnel unmolested in this configuration.
It sounds like I could relocate the sshd to the PC hosting the service interfaces and alleviate this issue (maybe, possibly) of having to use dynamic ports and use a more traditional explicit local to remote port forwarding scheme. However, knowing that it can be achieved otherwise leads me to seek a solution that doesn't require reconfiguration of the remote PCs and all of the various machines I have configured to access this configuration remotely for other purposes.
I did try your iptables string exactly and also without the owner application matching making it a more global redirect if I parse it correctly. I also tried these configurations with ConnectBot configured with traditional instead of dynamic port forwards but neither way works.
I still believe that the proxydroid method is succeeding because it includes the socks5 proxy layer via redsocks. I believe but cannot prove that this is what enables the dynamic port forwarding to work through the tunnel. While the method you are outlining makes good theoretical sense it is failing in practice.
All that said, I decided to run a test wherein I redirected all traffic on port 80 to port 6543 and then configured connectbot to forward from port 6543 to port 8118 which should engage my remote socks5 proxy and use my remote internet connection. It appeared to work and to double check I disconnected ConnectBot yet somehow my android browser still had no issues accessing internet sites on the 4g connection. So, apparently iptables is being ignored entirely or I am completely missing the boat, here.
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Explain how that successfully fetches http requests despite having a service listening on 6543 to facilitate it.
Not sure if it was required to use that -m match switch to tie the iptables rule to an application so I tried:
ps | grep lan =
Application is 23094
therefore
iptables -t nat -A OUTPUT -m owner --uid-owner app_23094 -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere owner UID match app_23094 tcp dpt:www to 127.0.0.6543
Same result; not tunnel or service listening on 6543 but successful fetch of http requests.
SandroBSupp said:
I tested and it works.
How I set up enviroment:
1. PC with apache running on port 80. Tested with telnet localhost 80 and GET<ENTER> that some response is shown.
2. android with connectbot port forwarding from android localhost 8100 to PC port 80. Tested with android telnet localhost 8100.
3. find out app id of browser on android with ps command and used same id in iptables rule
iptables -t nat -A OUTPUT -m owner --uid-owner app_4 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
4. checked iptables rules that shows redirection
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere owner UID match app_4 tcp dpt:www to:127.0.0.1:8100
5. Open browser with http://www.google.com url. It should show default page on my PC apache server instead of google first page.
Click to expand...
Click to collapse
Before I investigate further...
Is this a typo or iptables doesn't work okey?
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Yeah, that was a typo into the forum.
I have globally redirected all port 80 traffic to localhost port 6543 with no service listening on 6543 yet any browser will successfully fetch pages. It seems iptables is being ignored entirely although it should be noted proxydroid modifies iptables to a successful result.
SandroBSupp said:
Before I investigate further...
Is this a typo or iptables doesn't work okey?
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Click to expand...
Click to collapse
Just for fun I installed DroidWall and blacklisted both browsers on my phone. Neither browser has any issues whatsoever retrieving webpages despite the blocks. I listed the iptables to verify there are indeed blocks in place. My iptables are being ignored entirely. Any input to this regard would be quite helpful. Obviously any attempts to manipulate packet redirection with iptables is meaningless if the tables are ignored.
Strangely, proxydroid is effective and it is making changes to iptables when enabled, so I have no idea WTF at this point.
Okay, I deleted all chains which seems to have cleared up the issue with all rules being ignored. If I am not mistaken my output chain was being directed to a chain called samsung_market_policy so, if I wasn't placing the rules within that chain (and I was not) they were being jumped before they could be read. I have no idea what breaks when you remove the samsung_market_policy chain but considering it was an empty chain I suppose nothing.
That said, I can now successfully redirect port 80 traffic to port 6543:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 6543
^^^If no service listens on 6543 the browser provides an error message as expected. With ConnectBot listening on 6543 and forwarding through the tunnel to remote port 8118 where I have a proxy server listening the pages fetch.Note a socks5 proxy is listening on the remote machine at port 8118 to manage the retrieval of the pages.
Sooooo, now I flush the above rules and enter:
iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 127.0.0.1:8080
^^^Should, in my understanding send all tcp traffic of any variety to localhost port 8080 where I have ConnectBot configured to forward dynamically to the remote machine.
Passing any address of any variety fails in this instance. There is a service listening on remote machine 192.168.1.100:8080. This address fails where it would not do so with a local socks5 layer. Google.com fails as well, which makes sense considering there is no proxy to perform the domain resolution but so does passing 74.125.137.138 which is Google.com's direct IP address.
I have further testing to do and will report back. If you have any input I am eager to hear it.
I will add that I am back on the same merry go round:
2 of the proxies do not work 2 of them do. The 2 that do will not connect without direct user interface on screen. At any rate, I remain convinced a local proxy layer is needed for my purposes.
The 2 proxies that do work are explicitly socks5 while the 2 that are not simply state they are socks.
Sorry that I am not very active lately. Quite busy so I can not make some proof of concept environments.
But now that you have working tunnel you can have proxy on PC side that will do all the work?
You just set in Settings->Wifi->Modify Network->Show advanced settings->Proxy->Manual->localhost 8080 on android.
And have some squid, apache proxy active on the other side of tunnel.
Yes, this works... for a wifi connections. However, I am rarely connected to wifi and when I am it is the network that the remote pcs are attached to so all of this becomes unnecessary.
For a 3G/4G connection I need to either:
A) Easily and automatically toggle a global proxy on and off (the main complaint with proxydroid is this missing feature)
or
B) Make a permanent redirect of destination IP 192.168.0.0/8 to the proxy without stripping the destination port information so that the transport carries that information.
A kludge solution I am currently using is to install FireFox mobile and then the Network Connections plugin which allows all FireFox traffic to be pointed to my ConnectBot tunnel. Then, in this way, to access my remote service I simply use FireFox Mobile and my other browsers for normal traffic.
This is a less than ideal solution, unfortunately, as I would like to be able to use any browser and also and more importantly other applications such as AndFTP, which fail unless a local socks5 layer is transporting the destination IP AND Port through the tunnel. That is, if AndFTP or a normally configured browser are pointed to the tunnel then the port information only serves the purpose of reaching the tunnel and is not transmitted to the remote end for connecting to remote services on their respective ports. There HAS to be a local transport layer that is moving the destination IP AND Port unmolested to and through the tunnel.
All that said, I suspect my earlier attempts at iptables redirection were successful at transmitting the packets TO the remote computer but additional rules must be configured to parse the incoming packets FROM the remote computer.
My next efforts will be directed at creating a shell script that sets up a redsocks proxy and an iptables redirection for the 192.168.0.0/8 range to that proxy. Which, is effectively recreating the efforts of people like yourself who wrote applications such as Sandroproxy, proxydroid and Auto Proxy. I will also be sending a request to proxydroid developers for an easier on/off toggle such as a checkbox instead of the current slider which cannot (as far as I know) be automated or, even better, to have that proxy auto-effect for a destination IP range.
SandroBSupp said:
Sorry that I am not very active lately. Quite busy so I can not make some proof of concept environments.
But now that you have working tunnel you can have proxy on PC side that will do all the work?
You just set in Settings->Wifi->Modify Network->Show advanced settings->Proxy->Manual->localhost 8080 on android.
And have some squid, apache proxy active on the other side of tunnel.
Click to expand...
Click to collapse
As I already wrote there is an a easy way to get working the tethering function on stock Roms.
And is ISWAT Tether Unlocker from the playstore.
By the way, this solution is either manual (in the free version) or costly (taking in account the payd one), and is not tailored for a specific device, so it opens all the traffic fro many network adapter to any network adapter, adding some potential security issues.
There is a quick and easy way to get the some effect, in a completely silent and free way, and opening the traffic just on the needed path, for our specific Phone.
So (assuming your PQ is already rooted) install the command iptables (manually or trough an installer from the playstore) then use the following script:
Code:
#!/system/bin/sh
#
iptables -F &&
iptables -F -t nat &&
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT &&
iptables -I FORWARD -s 192.168.43.0/24 -j ACCEPT &&
iptables -P FORWARD DROP &&
iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -j MASQUERADE
Use a decent editor like notepad++ and save it with a recognizable name, something like tetheron.sh ( use the UNIX format, not the DOS one or it will not work).
Then copy it on your phone in a place included in the path (say /system/xbin or /system/bin), and make it executable (chmod 755).
Then try if it works launching it from the terminal (just type tetheron.sh from a root command prompt) then try the stock hotspot function.
If you made no mistake in the process you can manage to start the command when the phone boots.
This can be done in several ways: including it in rc.local if your kernel is init.d enabled, you can use a script manager from the Playstore, you can use Tasker (or a similar SW) to launch it at boot.
if you use Tasker or a script manager remember to launch the script as root.
That's all.
The script I posted is meant for stock ICS ROMs and for WIFI tethering only, but you can edit it easily for any configuration.
If you are on JB just check the IP assigned to the hotspot network, if it is different than 192.168.43.x you have to edit the script accordingly.
The web is plenty of tutorials about iptables and linux networking.
That's all, let me know if everything goes as expected.
Confirmed that this works on CyanogenMod 11 (msm8960) to make the stock tether (buried deep in the network settings) work.
Actually the built-in AP (WiFi tethering in other words) is functioning.
I have to set the DNS for the connected devices myself but it works after that.
I wasn´t able to post the question directly under the Superman Costum Rom thread. So I try to do it here.
I installed [ROM][STABLE][TW][6.0.1][BPH6][24.08.16][SM-G930F/FD/W8] SuperMan-Rom V1.12 Aroma today. And as far it works really fine. But what bugs me is that I was able to use USB-Lan Adapter under Stock Rom that was just rooted. I only needed to input the following in the android console:
- ip link
- ifconfig eth0 up
- dchpcd eth0
The adapter started to work. I could ping to different web pages and play games etc. Only a few apps didn´t recognize internet. But after installing Superman Rom the same procedure doesn´t work any longer. I can ping to my router but not further. Any ideas so far? Thanks in advance.
So far I´ve got it working. Only if anybody wants to know it.
Its following steps:
- Root the device.
- Then install Terminal Editor or a different app like that.
then:
ip link
(shows eth0 your usb ethernet adapter somewhere in the list)
dhcpcd eth0
ndc resolver setnetdns eth0 8.8.8.8 8.8.4.4 (this line was the reason why I started this thread, my eth0-adapter couldnt resolve the dns)
then enter the following ip-rules:
ip rule add from all fwmark 0x101f7/0x1ffff lookup 1024 pref 13000
ip rule add from all oif eth0 lookup 1024 pref 14000
ip rule add from all fwmark 0x1f7/0x1ffff lookup 1024 pref 19000
ip rule add from all fwmark 0x0/0xffff lookup 1024 pref 22000
ip route add table 1024 192.168.178.0/24 dev eth0
ip route add table 1024 default via 192.168.178.1 dev eth0
(if they don´t work than look under: "ip rule". The rules for wlan0. The numbers like 0x101f7/0x1ffff behind fwmark must be similar to wlan0)
You can type in all this commands every time on restart or if you plug out your adapter. Or you save those command line entrys in a file called "eth.sh" store it on your device and execute it with Terminal emulator as "su -c 'sh eth.sh'
From there on if you ping to google or something. The packages should get to their target. But...
Some apps will still refuse to work. Because they depend on 3g or wlan adapter. So you need a app to fake wlan. You can do this with "exposed framework" and a module called "fake wlan". One reason more your device should be rooted.
After that all apps works in line now. I ve gone further and set up a init.d script that does the job when I boot up my device.
In the moment if you plug out your USB-Ethernet you may have to reboot the device. But maybe I can figure out something more convenient.
Just figured I would share this for anyone who is sick of their tethering being throttled after a insanely small bandwidth limit. I mean if you pay for unlimited data, who are they to tell you how you can use it. Also you could technically cancel your ISP if you really wanted to and you were motivated enough to get this setup correctly.
I'm have a repo on GitHub for this -> https://github.com/RiFi2k/unlimited-tethering
# Unlimited Tethering
Bypass tethering caps or throttling on cell phone unlimited data plans. Potentially cancel your internet and route your whole home though your unlimited data plan.
Inspired from [XDA](https://forum.xda-developers.com/) forum threads.
[Working Options for Unlimited Tetherting, Hotspot, Carrier Check Bypass Methods](https://forum.xda-developers.com/showthread.php?t=3825144)
[Unlimited WiFi Tethering](https://forum.xda-developers.com/showthread.php?t=2914057)
## Requirements
* **Unlimited data plan**
* **Ability to hotspot your phone**
* **Computor or Router**
This is not a carrier specific method, I use Verizon but this should generally work with any carrier. It also doesn't matter if they throttle or cap you at 15GB or something, that is what we are about to work around.
If you are going to go the router method it will be a lot more work but the router will handle all the traffic routing and you can just connect any device in your house to your router and it will just work. If you are just going to use your PC then you can generally have this running in ~15 to 30 minutes.
I have personally used anywhere from 80-150GB of data with this method consistantly for 6+ months and never been throttled one time while my traffic was going through the tunnel.
## Overview
1) Download [Termux](https://termux.com/) app, [install openssh](https://wiki.termux.com/wiki/Remote_Access) on it, make sure you have python2 as well and simlink the `python2` command to `python`.
```
pkg install python2
py2_path=$(which python2)
py_path=${py2_path%/*}/python
ln -s "$py_path" "$py2_path"
```
2) Configure authentication as explained [here](https://wiki.termux.com/wiki/Remote_Access) for SSH. If you don't already have a keypair it explains how to set up an ssh keypair and use it to authenticate to your phone from a PC. I personally used my existing SSH public key and made a folder / file `~/.ssh/authorized_keys` on Termux and dropped it in there with something like `curl "https://github.com/rifi2k.keys" > ~/.ssh/authorized_keys` if you already have your public keys on github here.
2) Hotspot your phone.
3) Run `ifconfig` inside Termux to get your current tethering local IP. It will be the only 192.x.x.x spit out and generally for andriod will be ending in 192.x.43.x. Save this.
4) Run `sshd -dD` inside Termux which starts an openssh server in debug mode to audit traffic. Your looking to see something like this as output from the above command.
```
debug1: Bind to port 8022 on ::.
Server listening on :: port 8022.
debug1: Bind to port 8022 on 0.0.0.0.
Server listening on 0.0.0.0 port 8022.
```
5) Now pop onto a PC and connect it to your hotspot.
6) Now SSH tunnel all the traffic from the device back through the openssh server your running on the Termux app. Now that you are on the same local network you can SSH tunnel into our saved IP address and port from earlier `192.x.43.x:8022` or similar.
You can use ssh which would look something like this.
If you want to use OpenSSH on Windows my recommendation would be Chocolatey package manager. https://gitlab.com/DarwinJS/ChocoPackages/tree/master/openssh
```bash
TERMUX_USER="u0_a249"
TERMUX_IP="192.x.43.x"
TERMUX_PORT="8022"
LOCAL_SOCKS_PORT="8123"
ssh -D $LOCAL_SOCKS_PORT -fqgN [email protected]$TERMUX_IP -p $TERMUX_PORT
```
TERMUX_USER would be your username on the Termux app.
TERMUX_IP would be the IP you got from `ifconfig` in Termux.
TERMUX_PORT would be the port `sshd` is using in Termux.
LOCAL_SOCKS_PORT would be the port you want to use for your local proxy.
So then once you run the above ssh command you need to configure a system wide or application specific Socks Proxy which would be proxying all traffic to `127.0.0.1` for the Socks Host and whatever `LOCAL_SOCKS_PORT` is from above for the Socks Port.
I use [sshuttle](https://github.com/sshuttle/sshuttle) which already handles most of the [gotchas with tcp over tcp etc](https://sshuttle.readthedocs.io/en/stable/how-it-works.html). and which also has a solution for [Windows](https://sshuttle.readthedocs.io/en/stable/windows.html) and linux. Also sshuttle generally handles setting up the Socks Proxy for you. A command for sshuttle might look like this.
## Linux
```bash
TERMUX_USER="u0_a249"
TERMUX_IP="192.x.43.x"
TERMUX_PORT="8022"
sshuttle -r [email protected]$TERMUX_IP:$TERMUX_PORT 0.0.0.0/0 -l 0.0.0.0:0
```
## Windows
On Windows I would download [Virtualbox](https://www.virtualbox.org/). You can verify the sha256 of the files via PowerShell with `Get-FileHash C:\path\to\file.exe`. Also you might want to use [git bash](https://medium.com/@botdotcom/learn-how-to-install-and-use-git-on-windows-9deecbd6f126) instead. Then you want to make sure you launch a linux VM in [bridged mode](https://www.linuxbabe.com/virtualbo...duction-to-virtualbox-bridged-networking-mode).
Then run sshuttle inside the VM following the directions here for [sshuttle in a VM](https://sshuttle.readthedocs.io/en/stable/windows.html).
Inside the VM
```
sshuttle -l 0.0.0.0 -x 10.0.0.0/8 -x 192.168.0.0/16 0/0
```
Back on your Windows machine, assuming your VM has the IP `192.168.1.200` on the bridged network.
```
route add 0.0.0.0 mask 0.0.0.0 192.168.1.200
```
That should route traffic through the VM and the tunnel.
As long as you make sure all your traffic passes through the tunnel it 100 percent shows that all your internet is being used by Termux app not your hotspot app so you need no other spoofing of hops or anything because to your phone and carrier you are just using a bunch of data in termux, you do it right you will never be throttled.