Hey All,
Hope this hasn't been covered. I did search a bit and found some clues, but not something that totally worked for me. I figured I'd put up a post telling y'all how I made it work. I suppose this post is just more clues for somebody else, but at least it seems like a different set of clues than what I was able to find.
I've wanted to use the phone's USB connection to use work's Internet connection to download updates to my phone and conserve my measly 2GB/month data.
Running Cyanogenmod 9.1.0. Don't know how this would translate to others.
The tricks to reverse USB tether are
A) Get the phone to connect to a Linux host over the USB as in a normal tether
B) Set up IP forwarding and NAT on the Linux host (which has a perfectly fine Ethernet connection to the Internet)
C) Change the phone's default route to point at the Linux host
D) Change the phone to use the same DNS servers visible to the Linux host
A-C were pretty easy. D was actually the hardest. Here's my notes I'm storing on the phone:
***********************************************************************
* On the linux host
# ip addr show
2: p2p1: ...
inet 10.2.59.107/18 brd 10.2.63.255 scope global p2p1
7: usb0: ...
inet 192.168.42.151/24 brd 192.168.42.255 scope global usb0
* This part is classic "setting up a NAT" which is easily googled.
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o p2p1 -j MASQUERADE
# iptables -A FORWARD -i p2p1 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i usb0 -o p2p1 -j ACCEPT
* This tells us some IP addresses to use as nameservers.
cat /etc/resolv.conf
# nameserver 10.2.10.24
# nameserver 10.2.10.26
***********************************************************************
* On the android device disable all other methods of accessing the internet.
* That is, turn off Wi-Fi and System Settings, Wireless & networks, Mobile
* networks, Uncheck "Data enabled". This might not be necessary. I did it to
* make sure the rest of what I was doing worked.
* Try 'ip route' without other args and delete any existing default route if
* you have one.
# ip route add default via 192.168.42.151 dev rndis0
# getprop | grep dns
[net.change]: [net.dns2]
[net.dns1]: [172.26.38.1]
[net.dns2]: [172.26.38.2]
[net.dnschange]: [1]
[net.rmnet_sdio0.dns1]: []
# setprop net.dns1 10.2.10.24
# setprop net.dns2 10.2.10.26
* * Avoid the Primrose Path. This sort of acted like it would work, but then
* * didn't at all.
*
* # cat /emmc/resolv_work.conf
* nameserver 10.2.10.24
* nameserver 10.2.10.26
*
* # pkill dnsmasq
* # dnsmasq -d -r /emmc/resolv_work.conf
Related
Hi, I'm doing some porting for the phone.
Everything goes fine but except...
# iptables -A INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state --state ESTABLISHED -m set --match-set NOCLIP src -j ZHANG
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:372
iptables v1.3.7: Couldn't find match `set'
A patched ipset works and the kernel modules of it seems to be loaded correctly and I can define sets.
# ipset -L GOOGLE
Name: GOOGLE
Type: nethash
References: 1
Header: hashsize: 225 probes: 1 resize: 50
Members:
64.233.160.0/19
8.6.48.0/21
64.68.88.0/21
4.3.2.0/24
66.249.64.0/19
173.194.0.0/16
8.8.8.0/24
74.125.0.0/16
8.8.4.0/24
216.239.32.0/19
209.85.128.0/17
66.102.0.0/20
72.14.192.0/18
64.68.80.0/21
So there are problems with iptables.
I've looked into external/iptables/Android.mk and found that set is not enabled, and, this version of iptables seems don't know --match-set. Abort.
And I also tried the latest one which version number is 1.4.7 on github but I can't get it compiled.
And if you are Chinese and you are interested in FanQiang(f***ing GFW) contact me and let's do it together. As far as I know now only tor works on Android phone except VPN.
Hello All,
Starting 1.5.3 , DroidWall introduced a experimental feature called "CustomScripts" where scripts can be defined by user will be executed by DroidWall .
More details on http://code.google.com/p/droidwall/wiki/CustomScripts
This thread is to collect all custom scripts by users.
Iptables ->
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
http://linuxconfig.org/collection-of-basic-linux-firewall-iptables-rules
Script for allowing selected IP's for selected program
Hello,
Could somebody please post a Droidwall script for allowing a specific program to communicate only with selected IP's?
I want to allow B-Folders to talk only to my two desktops machines and reject anything else.
Thank you.
Robert.
This two are very useful to block/allow packs sending from browsers...
# Always allow connections to 192.168.0.1, no matter the interface
$IPTABLES -A "droidwall" --destination "192.168.0.1" -j RETURN
# Block connections to 119.161.212.151, no matter the interface
$IPTABLES -A "droidwall" --destination "119.161.212.151" -j "droidwall-reject"
Interesting program..
was just thinking about something along this line earlier in the week.
Will keep an eye on it and play a little.. when time permits..
it would be nice to block permissions on programs that extend the normal wants and needs a program should have..
Is it possible to block websites without using ip, adresses? Im having some trouble blackslisting some websites. Help much appreciated.
Stitch!
Use only Droidwall and not LBE Privacy Guard as firewall
Code:
iptables -D OUTPUT -j droidwall
iptables -I OUTPUT 1 -g droidwall
To revert back to old settings ( both Droidwall and LBE Privacy guard as firewall)
Code:
iptables -D OUTPUT -g droidwall
iptables -I OUTPUT 2 -j droidwall
lets make a custom-script collection for Apps
Hey Guys, lets make a collection for apps, there are make connetions,there are unneeded for the normaly daily use(there are only for advertising). I Start with Shazam
Code:
$IPTABLES -A "droidwall" --destination "5.44.16.214" -j "droidwall-reject"
$IPTABLES -A "droidwall" --destination "5.44.16.223" -j "droidwall-reject"
$IPTABLES -A "droidwall" --destination "5.44.16.228" -j "droidwall-reject"
$IPTABLES -A "droidwall" --destination "185.31.0.0/16" -j "droidwall-reject"
Code:
# Allow SSH (port 22) access to the phone
$IPTABLES -A afwall -p tcp --sport 22 -m owner --uid-owner 0 -j RETURN
I don't know why or how but my mac address changes everytime I turn on the wifi to random mac address from texas instruments instead of motorola mobility
Sent from my XT720 using xda premium
take a look here:
http://forum.xda-developers.com/showthread.php?t=1244982&highlight=mac
probably the offending part is here:
Code:
service wlan_loader /system/bin/wlan_loader \
-f /system/etc/wifi/fw_wlan1271.bin -i /system/etc/wifi/tiwlan.ini \
[b] -e /pds/wifi/nvs_map.bin [/b]
class post-zygote_services
disabled
oneshot
and more preciously in pds/wifi/nvs_map.bin
probably the wlan_loader doesn't look there, or doesn't interpret it right ..
but without additional info it is just speculation ...
basically when the wireless module is unloaded, you don't have wlan0 interface.
when you (actually the phone services) load the module, then wlan0 appears, but with 00:00:00:00:00:00 mac address (if the module is the stock one)
after wlan_loader do his job, the mac address is changed to the one specified in the nvs_map.bin file
p.s. I did not check the above statement now, it is from my memories, when i had trouble with my phone mac ....
I also posted this on the OpenVPN forums but figured someone here may have experienced a similar problem or at least have ideas for what to do next.
My goal is to be able to connect my android phone via OpenVPN to my home network.
I started by installing OpenVPN 2.2.2
my config folder looks like this
Code:
ca.crt
dh1024.pem
server.crt
server.key
server.ovpn
My Server.ovpn contains.
Code:
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
I used this to generate a .p12 for my phone.
Code:
openssl.exe pkcs12 -export -in phone.crt -inkey phone.key -certfile ca.crt -name phone -out phone.p12
My port is forwarded correctly and software firewall is disabled.
This is what I get in the log.
pastebin: gPCBwWE1
And then the connection reset by peer will simply repeat.
I have tried tcp, different ports, recreating keys and directly connecting my comp to the internet.
Any suggestions on where to go from here would be helpful.
I have tried Googling quite a bit but there isn't much out there.
Thanks.
Hi All,
I have a stupid Juniper VPN device at work which does not support 64 bit linux clients using netconnect. I have found ways around this previously, but now we are setting up 2 factor auth which throws a lot of javascript into the mix, making the scripts I used pretty much obsolete. The Junos pulse client works well for android, so I am thinking I want to use an android device as a router. Connecting to the VPN and using wifi tethering does not work, same with USB tethering does not work, and those are not exactly what I want anyway.
So basically I want to be able to connect my android device to my wifi here at home, connect to the VPN on it, run a script to do my setup on the Android device, lastly add a route on my client pc to tunnel through the android device. here is what I tried so far on the device:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
ip rule add from all to 10.0.0.0/8 fwmark 0x3c lookup 60
and on the client PC:
Code:
route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.29
where 192.168.1.29 is the IP of my android device, and 10.0.0.0/8(I know its lazy) is the IP range I want to go through tun0 on the device. This is however not working.
The only thing I need to do on a standard linux box to do this would be:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
And setup the same route command on the client but point it at the linux box instead. This currently works, but when we decide to flip the switch and use the 2 factor auth only I will not be able to make it work on a standard linux box, but 2 factor does work on android via the Junos app.
I fear I am missing something simple in Android land, please help...