Proxy Merry Go Round - Verizon Samsung Galaxy S III
I have ConnectBot configured to tunnel to a remote machine and the appropriate ports forwarded to access several services on that machine. As I understand it I further need a proxy layer to pass traffic to ConnectBot locally. I currently use proxydroid for this purpose. It worked the first time I configured it and I only recently found something about it I do not like and went in search of alternative proxy apps that might behave in the way I need.
The goal is to be able to write a Tasker sequence that connects the tunnel (completed this portion) and then activates the proxy. Unfortunately there is not automated way that I can determine to toggle proxydroid active/inactive. The interface, AFAICT, requires manual interaction in order to turn it on and off. proxydroid does have an option to automatically connect in the presence of certain networks but that it almost entirely useless to me, in fact, it would be better if it could connect when a particular network is NOT present.
Anyhow, in my search for alternative proxies I discovered a few apps that have some serious potential but hardly work:
Auto Proxy (not to be confused with AutoProxy): Is free, has amazing options for autoconnecting based on IP strings (which would be super and not involve Tasker at all) and has some of the more unique features. Unfortunately this proxy does not work in the least. I may be doing it wrong but it should be kept in mind that I can easily use proxydroid so the settigns are a known factor.
AutoProxy Lite: Is free, has fairly limited options and requires the paid version to autoconnect but even then autoconnection appears to be based on network presence which as I have mentioned is useless. This one I can get to work although I have to enter the necessary ports in the forwarding section which is really strange to me. The port forwarding should be happening at the tunnel not at the application layer but whatever if it works. The interface leaves much to desired, options are extremely limited and I just don't get the warm fuzzies about using the app. Using the free version will result in nag screens which will trip up any automated use.
Sandroproxy: Is free, appears to be fairly configurable and would be easy to automate with Tasker. Unfortunately this proxy doesn't work at all either. I appreciate the direct iptables output this one offers.
iptables, yes, now that we are talking about iptables I have some questions. I have a passing understanding of iptables/ipchains and can parse an iptables stack and can do some mediocre manual entry into one. However, regardless of which proxy I activate a listing with "iptables -L" always indicates a stock iptables stack. I've read that kernel level support must be enabled for iptables to work which would explain the failure of the 2 apps that don't work at all and the unchanging iptables list output. I'm using CleanKernel which is stock with some CPU frequency change allowance and some optimizations but nothing added outside stock. So, does a stock GS3 kernel support iptables/netfilter? Are the working apps using a method outside iptables? I suspect my iptables works fine but I'm missing something about how to get appropriate listing from it.
What the hell is keeping the other apps from working?
Any help is appreciated even if it input on passing startup info to proxydroid which "just works" 100% of the time.
Hi,
As far I can understand you have tunnel from android to machine and you want that some application use it.
So you probably want to redirect some android port to android tunnel port.
Something like this one:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
This will redirect all tcp that process (uid-owner) wants to make to destination port 80 to android port 8009.
You will see iptables NAT table with:
iptables -t nat -L
And you need proper version of iptables (iptables -V). 1.4 or higher should work with redirection.
You don't need SandroProxy to achive that.
iptables v1.4.11.1 check
netstat -tulnp | grep 8080 verifies ConnectBot listening on 8080 check
(why simply appending :8080 to the address IP doesn't hit CB without proxying it there was initially confusing but below i discuss the socks proxy)
(note, establishing proxydroid on any port that CB is forwarding will result in xxx.xxx.xxx.xxx:$port being forwarded through the tunnel so long as $port is in CB's config to forward since proxydroid is currently configured as a global proxy)
I tried a few variations of your supplied iptables append string with no positive results which is fitting with the below discussion about no socks proxy in place.
Armed with the knowledge that there is more than one table and I was simply listing the filtering table I fired up proxydroid and listed the NAT table and found all traffic redirected to port 8123. Netstat confirmed redsocks listening on port 8123. So, this leads me to believe that the missing element in simply redirecting traffic to port 8080 or any other tunneled port is a socks5 proxy.
I am currently chewing through this link: http://przemoc.net/tips/linux#making_socks_proxy_transparent with the intent of leveraging iptables and redsocks to perform the needed redirects manually possibly switched on and off with shell scripts executed by Tasker (although, if i can successfully configure to redirect based on destination ip/address then, for my putposes the only automation required is that which I have already achieved; establishing and shutting down the tunnel.
Any further insight you have to the above ends is greatly appreciated and I thank you for your input to date.
SandroBSupp said:
Hi,
As far I can understand you have tunnel from android to machine and you want that some application use it.
So you probably want to redirect some android port to android tunnel port.
Something like this one:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
This will redirect all tcp that process (uid-owner) wants to make to destination port 80 to android port 8009.
You will see iptables NAT table with:
iptables -t nat -L
And you need proper version of iptables (iptables -V). 1.4 or higher should work with redirection.
You don't need SandroProxy to achive that.
Click to expand...
Click to collapse
I will try with some simple Apache/ConnectBot/telnet configuration and let you know.
I tested and it works.
How I set up enviroment:
1. PC with apache running on port 80. Tested with telnet localhost 80 and GET<ENTER> that some response is shown.
2. android with connectbot port forwarding from android localhost 8100 to PC port 80. Tested with android telnet localhost 8100.
3. find out app id of browser on android with ps command and used same id in iptables rule
iptables -t nat -A OUTPUT -m owner --uid-owner app_4 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
4. checked iptables rules that shows redirection
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere owner UID match app_4 tcp dpt:www to:127.0.0.1:8100
5. Open browser with http://www.google.com url. It should show default page on my PC apache server instead of google first page.
Your environment seems optimal for making this work. And, maybe I need to reevaluate my remote end environment.
Currently the ssh daemon operates on a server machine that also includes a socks5 proxy for allowing unrestricted and encrypted access from any location. The service interfaces I wish to access remotely, however, reside on a separate machine on the same network. This means that the IPort has to pass unmolested through the tunnel. The socks5 proxy on the sshd machine is irrelevant to this process, it should be noted. However, as I understand it, the port being forwarded through the tunnel does have to be a dynamic port in order to appropriately reach the second PC. Dynamically forwarded ports are handled with a socks protocol in ConnectBot.
So my environment is as follows
192.168.1.101 serves sshd on port 22.
192.168.1.100 serves interfaces on ports 2100, 8080, 80801 and 8082.
From the android device (S3) I expect to enter the address 192.168.1.100:8080 into a browser and have the related service interface be accessed remotely. This is exactly what occurs with the appropriate ports forwarded from ConnectBot and using proxydroid as a global proxy or even as a proxy tied directly to the app similar to your iptables string that matches the owner application. It should be noted that since the port is dynamic it really only requires ConnectBot to have a single port forwarded and for the redirection to jump to that port regardless of the originating port (say, 8080 or 8081 or 2100) because the originating port passes the tunnel unmolested in this configuration.
It sounds like I could relocate the sshd to the PC hosting the service interfaces and alleviate this issue (maybe, possibly) of having to use dynamic ports and use a more traditional explicit local to remote port forwarding scheme. However, knowing that it can be achieved otherwise leads me to seek a solution that doesn't require reconfiguration of the remote PCs and all of the various machines I have configured to access this configuration remotely for other purposes.
I did try your iptables string exactly and also without the owner application matching making it a more global redirect if I parse it correctly. I also tried these configurations with ConnectBot configured with traditional instead of dynamic port forwards but neither way works.
I still believe that the proxydroid method is succeeding because it includes the socks5 proxy layer via redsocks. I believe but cannot prove that this is what enables the dynamic port forwarding to work through the tunnel. While the method you are outlining makes good theoretical sense it is failing in practice.
All that said, I decided to run a test wherein I redirected all traffic on port 80 to port 6543 and then configured connectbot to forward from port 6543 to port 8118 which should engage my remote socks5 proxy and use my remote internet connection. It appeared to work and to double check I disconnected ConnectBot yet somehow my android browser still had no issues accessing internet sites on the 4g connection. So, apparently iptables is being ignored entirely or I am completely missing the boat, here.
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Explain how that successfully fetches http requests despite having a service listening on 6543 to facilitate it.
Not sure if it was required to use that -m match switch to tie the iptables rule to an application so I tried:
ps | grep lan =
Application is 23094
therefore
iptables -t nat -A OUTPUT -m owner --uid-owner app_23094 -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere owner UID match app_23094 tcp dpt:www to 127.0.0.6543
Same result; not tunnel or service listening on 6543 but successful fetch of http requests.
SandroBSupp said:
I tested and it works.
How I set up enviroment:
1. PC with apache running on port 80. Tested with telnet localhost 80 and GET<ENTER> that some response is shown.
2. android with connectbot port forwarding from android localhost 8100 to PC port 80. Tested with android telnet localhost 8100.
3. find out app id of browser on android with ps command and used same id in iptables rule
iptables -t nat -A OUTPUT -m owner --uid-owner app_4 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
4. checked iptables rules that shows redirection
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere owner UID match app_4 tcp dpt:www to:127.0.0.1:8100
5. Open browser with http://www.google.com url. It should show default page on my PC apache server instead of google first page.
Click to expand...
Click to collapse
Before I investigate further...
Is this a typo or iptables doesn't work okey?
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Yeah, that was a typo into the forum.
I have globally redirected all port 80 traffic to localhost port 6543 with no service listening on 6543 yet any browser will successfully fetch pages. It seems iptables is being ignored entirely although it should be noted proxydroid modifies iptables to a successful result.
SandroBSupp said:
Before I investigate further...
Is this a typo or iptables doesn't work okey?
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Click to expand...
Click to collapse
Just for fun I installed DroidWall and blacklisted both browsers on my phone. Neither browser has any issues whatsoever retrieving webpages despite the blocks. I listed the iptables to verify there are indeed blocks in place. My iptables are being ignored entirely. Any input to this regard would be quite helpful. Obviously any attempts to manipulate packet redirection with iptables is meaningless if the tables are ignored.
Strangely, proxydroid is effective and it is making changes to iptables when enabled, so I have no idea WTF at this point.
Okay, I deleted all chains which seems to have cleared up the issue with all rules being ignored. If I am not mistaken my output chain was being directed to a chain called samsung_market_policy so, if I wasn't placing the rules within that chain (and I was not) they were being jumped before they could be read. I have no idea what breaks when you remove the samsung_market_policy chain but considering it was an empty chain I suppose nothing.
That said, I can now successfully redirect port 80 traffic to port 6543:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 6543
^^^If no service listens on 6543 the browser provides an error message as expected. With ConnectBot listening on 6543 and forwarding through the tunnel to remote port 8118 where I have a proxy server listening the pages fetch.Note a socks5 proxy is listening on the remote machine at port 8118 to manage the retrieval of the pages.
Sooooo, now I flush the above rules and enter:
iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 127.0.0.1:8080
^^^Should, in my understanding send all tcp traffic of any variety to localhost port 8080 where I have ConnectBot configured to forward dynamically to the remote machine.
Passing any address of any variety fails in this instance. There is a service listening on remote machine 192.168.1.100:8080. This address fails where it would not do so with a local socks5 layer. Google.com fails as well, which makes sense considering there is no proxy to perform the domain resolution but so does passing 74.125.137.138 which is Google.com's direct IP address.
I have further testing to do and will report back. If you have any input I am eager to hear it.
I will add that I am back on the same merry go round:
2 of the proxies do not work 2 of them do. The 2 that do will not connect without direct user interface on screen. At any rate, I remain convinced a local proxy layer is needed for my purposes.
The 2 proxies that do work are explicitly socks5 while the 2 that are not simply state they are socks.
Sorry that I am not very active lately. Quite busy so I can not make some proof of concept environments.
But now that you have working tunnel you can have proxy on PC side that will do all the work?
You just set in Settings->Wifi->Modify Network->Show advanced settings->Proxy->Manual->localhost 8080 on android.
And have some squid, apache proxy active on the other side of tunnel.
Yes, this works... for a wifi connections. However, I am rarely connected to wifi and when I am it is the network that the remote pcs are attached to so all of this becomes unnecessary.
For a 3G/4G connection I need to either:
A) Easily and automatically toggle a global proxy on and off (the main complaint with proxydroid is this missing feature)
or
B) Make a permanent redirect of destination IP 192.168.0.0/8 to the proxy without stripping the destination port information so that the transport carries that information.
A kludge solution I am currently using is to install FireFox mobile and then the Network Connections plugin which allows all FireFox traffic to be pointed to my ConnectBot tunnel. Then, in this way, to access my remote service I simply use FireFox Mobile and my other browsers for normal traffic.
This is a less than ideal solution, unfortunately, as I would like to be able to use any browser and also and more importantly other applications such as AndFTP, which fail unless a local socks5 layer is transporting the destination IP AND Port through the tunnel. That is, if AndFTP or a normally configured browser are pointed to the tunnel then the port information only serves the purpose of reaching the tunnel and is not transmitted to the remote end for connecting to remote services on their respective ports. There HAS to be a local transport layer that is moving the destination IP AND Port unmolested to and through the tunnel.
All that said, I suspect my earlier attempts at iptables redirection were successful at transmitting the packets TO the remote computer but additional rules must be configured to parse the incoming packets FROM the remote computer.
My next efforts will be directed at creating a shell script that sets up a redsocks proxy and an iptables redirection for the 192.168.0.0/8 range to that proxy. Which, is effectively recreating the efforts of people like yourself who wrote applications such as Sandroproxy, proxydroid and Auto Proxy. I will also be sending a request to proxydroid developers for an easier on/off toggle such as a checkbox instead of the current slider which cannot (as far as I know) be automated or, even better, to have that proxy auto-effect for a destination IP range.
SandroBSupp said:
Sorry that I am not very active lately. Quite busy so I can not make some proof of concept environments.
But now that you have working tunnel you can have proxy on PC side that will do all the work?
You just set in Settings->Wifi->Modify Network->Show advanced settings->Proxy->Manual->localhost 8080 on android.
And have some squid, apache proxy active on the other side of tunnel.
Click to expand...
Click to collapse
Related
Tutorial - Port knocking w/ ssh, vnc - Secure access from android to remote computer
What I wanted was a simple, secure way to access my home computer remotely from my android phone. I know there are vpn options but I’ve seen that cause battery drain issues if in constant use, and also is more than I wanted/needed to setup. I know I could just setup a ssh server but leaving port 22 open on the remote computer for anyone to scan and hack the password seemed too insecure for me. So I came up with this solution and have been using it for about 2 years now without any problems. I thought maybe I should share this method since it may be of use to someone else and I don’t know of anyone else putting all these together for use with android. What this does: By running a small script on your android phone in terminal (only 2 commands), your phone knocks 3 specific ports, in a specific order (like a combination lock), your remote computer recognizes this order and opens port 22 for 10 sec. Your script then ssh’s the remote computer on port 22 and you log in. The port 22 on the remote computer closes so no one else can see it, but the keep-alive feature keeps your ssh session open so you can do whatever you need, for as long as your like, without worrying about someone port sweeping the remote computer and seeing the port open, or brut forcing a ssh password on it. You with me so far? Now the ssh session also uses port forwarding to forward port 5900 from the remote computer to port 5900 on the localhost of the android phone. Now you can open your vnc client and connect to the remote computer through your ssh tunnel and see your x11 desktop. So you know also have a secure VNC connection! All this is done securely and only runs ondemand. While this may look like a lot to setup, it’s actually quite easy and should only take about 15min tops. This tutorial should be complete but if I’ve forgotten anything, let me know and I’ll be sure to update this page. In other words, run two simple commands within a script and you have secure access to your remote computer from your phone! Enjoy! Pros: - Secure - Works on 3G and wifi - Runs on all android versions - Works on all x11 GUI’s (gnome, kde, etc). Assuming a VNC session is also desired. - Fun! Problems: - This only works on linux computers, although I’m sure there is a way to setup port knocking on windows. I have no use for this, but if people are interesting, I can add a way to my tutorial as well. Howto: Setup Remote Computer: First we need to setup the remote computer. This is geared towards Debian/Ubuntu but small adjustments should have it working on all distros (I’m using Debian Squeeze personally). Let’s begin: First we need to install a few packages if not already there: Code: apt-get install openssh-server x11vnc knockd Now lets configure your ssh daemon. Using nano or another text editor, edit /etc/ssh/sshd_config: Change the following line to read as follows: Code: PermitRootLogin no This will disable root login, so you will login in as a user and then su to root (You can leave root login if desired, it’s just less secure and not recommended). Next we need to edit our iptables, so open /etc/network/if-pre-up.d/iptables and add the following: MAKE A BACKUP FIRST OF THIS FILE Code: # Accepts all established inbound connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic iptables -A OUTPUT -j ACCEPT # Allow ping iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT Now we setup our port knocking. Edit /etc/knockd.conf: Code: [options] UseSyslog [openSSH] sequence = port1,port2,port3 seq_timeout = 5 command = /sbin/iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j DROP tcpflags = syn [closeSSH] sequence = port1,port2,port3 seq_timeout = 5 command = /etc/init.d/ssh stop tcpflags = syn The section [openSSH] is what opens the port for 10 sec by running the iptables command and then drops the packets after the time expires, running the stop_command. The section [closeSSH] is not needed. It was a failsafe I use in case I want to disable ssh if I thought I was getting hacked and could not login. This is also left to show how you can use the knocking to run different commands using another sequence of ports (for ftp, etc.) Now lets restart the network interface and restart the knock daemon: Code: ifconfig eth0 down #adjust to whatever interface you use normally ifconfig eth0 up dhclient /etc/init.d/knockd restart /etc/init.d/sshd restart Test your internet and make sure it works. To make sure you have it setup to run on boot, first determine your runlevel: Code: runlevel Make sure knockd, ssh are in the /etc/rcX.d (where X equals your runlevel). If not, add it Code: ln -s /etc/init.d/knockd /etc/rcX.d/S02knockd And so on for shh if needed, (again, adjust X to equal your runlevel) Setup X11VNC password: Code: x11vnc --store password create a script for ~/bin/x11vncserver add this to the script Code: #!/bin/bash x11vnc -safer -forever -usepw -noxdamage The “-noxdamage” fixes a display problem of the desktop not updating in the android vnc client. Now if using gnome and you only care about vnc login for one user then, goto System → Preferences → Startup Applications → Add → Name = VNC Server Command = x11vncserver & Or add to GDM for access to any user, add to /etc/gdm3/Init/Default: Code: x11vnc -safer -forever -usepw -noxdamage DONE! (KDE will be similar but slightly different to load on login, post if help is needed) Setup android phone: create script called knockh in /system/xbin. Then add this: Code: nc -z [ipaddress] port1 port2 port3 ssh -L 5990:localhost:5900 [email protected][ipaddress] Replaces the ipaddress with your own (google “what is my ip” if you don’t know your external ip). Replace the ports with the ones used in the config file above for knockd. Change the user to whatever user has ssh rights. Then Code: chmod 755 /system/xbin/knockh Now run knockh in the terminal and you should see a login for ssh on your remote computer. Next download “android-vnc-viewer” from the market (it’s free). Create a new connection by selecting “new” from the dropdown box. Create a nickname, enter your x11vnc pasword, address is “localhost” and port is “5900”. For 3G connections, I recommend 8 colors, for wifi 256. I also check the “Local mouse pointer” in the checkbox. Now click connect and see your desktop! (If you are on your local wifi network be sure to create another connection for your local ip address) Fixes: Keep in mind this is for remote networks, if you are on your local lan, this won’t work without changing the ip address. If using a router or modem, setup port forwarding to your remote computer for TCP ports 5900, 22, port1, port2, port3 (your port knocking ports). Also make sure to setup a static dhcp for the remote computer so your router/modem doesn’t change it’s ip address and you can’t connect. If you are using an ISP that doesn’t give you a static ip address for your router, you will not be able to login whenever they change it, you’ll have to update the script first with the new IP. A solution is to setup a dynamic dns, using dyndns.org or something similar. Free options are out there, just google it. I hope this helps, please post if you have any questions, comments, etc. Enjoy! -Mike
On some roms, the busybox version of "nc" does not allow the -z command for knocking the proper ports. I've pulled the version of it from CM 7.2 and put in my /system/xbin and full functionality has been retained. I've included both "nc" and "ssh" here and they should work fine if you are missing them. (Tested on my EVO LTE running mostly stock Sense ICS, but this is fine for other android versions) nc ssh Hope this helps! -Mike
DroidWall Application filtering by IP
Hello, Recently bought an android phone and I decided to register on XDA as it seems to be full of helpful members Thanks for this forum. I have installed Droidwall on my phone running stock ICS. Droidwall does its job by allowing or denying application connection, so basically it allow an app to connect everywhere on the web or deny it. There are 2 modes : balck and white list. I am using white list meaning everything is reject exept the apps I have ticked (3g,wifi). What I am trying to achieve is configuring Droidwall to allow application to connect only where I want to (specific IP or IP range). A simple example would be the inbuilt messaging application. It effectively needs to connect to internet for MMS but not the whole WEB, simply to my carrier. This will prevent data leakage from the application that ask abusives permissions for example. The good thing is that Droidwall allow custom scripts so we can add rules to the iptables. Unfortunately I did not find any relevant example on XDA nor elsewhere. I only found : https://code.google.com/p/droidwall/wiki/CustomScripts http://forum.xda-developers.com/showthread.php?t=1283162 I tried without luck : Code: $iptables -A droidwall -d xxx.xxx.xxx.xxx -m owner --uid-owner 10092 -j ACCEPT or $iptables -A "droidwall" -destination "xxx.xxx.xxx.xxx". -m owner --uid-owner 10092 -j ACCEPT 10092 is my application ID. xxx.xxx.xxx.xxx the ip where I only want this application to connect to. Any help would be greatly appreciated and could server for others Thank you even for reading this entirely post.
Getting USB-Ethernet-Adapter started on Superman Rom
I wasn´t able to post the question directly under the Superman Costum Rom thread. So I try to do it here. I installed [ROM][STABLE][TW][6.0.1][BPH6][24.08.16][SM-G930F/FD/W8] SuperMan-Rom V1.12 Aroma today. And as far it works really fine. But what bugs me is that I was able to use USB-Lan Adapter under Stock Rom that was just rooted. I only needed to input the following in the android console: - ip link - ifconfig eth0 up - dchpcd eth0 The adapter started to work. I could ping to different web pages and play games etc. Only a few apps didn´t recognize internet. But after installing Superman Rom the same procedure doesn´t work any longer. I can ping to my router but not further. Any ideas so far? Thanks in advance.
So far I´ve got it working. Only if anybody wants to know it. Its following steps: - Root the device. - Then install Terminal Editor or a different app like that. then: ip link (shows eth0 your usb ethernet adapter somewhere in the list) dhcpcd eth0 ndc resolver setnetdns eth0 8.8.8.8 8.8.4.4 (this line was the reason why I started this thread, my eth0-adapter couldnt resolve the dns) then enter the following ip-rules: ip rule add from all fwmark 0x101f7/0x1ffff lookup 1024 pref 13000 ip rule add from all oif eth0 lookup 1024 pref 14000 ip rule add from all fwmark 0x1f7/0x1ffff lookup 1024 pref 19000 ip rule add from all fwmark 0x0/0xffff lookup 1024 pref 22000 ip route add table 1024 192.168.178.0/24 dev eth0 ip route add table 1024 default via 192.168.178.1 dev eth0 (if they don´t work than look under: "ip rule". The rules for wlan0. The numbers like 0x101f7/0x1ffff behind fwmark must be similar to wlan0) You can type in all this commands every time on restart or if you plug out your adapter. Or you save those command line entrys in a file called "eth.sh" store it on your device and execute it with Terminal emulator as "su -c 'sh eth.sh' From there on if you ping to google or something. The packages should get to their target. But... Some apps will still refuse to work. Because they depend on 3g or wlan adapter. So you need a app to fake wlan. You can do this with "exposed framework" and a module called "fake wlan". One reason more your device should be rooted. After that all apps works in line now. I ve gone further and set up a init.d script that does the job when I boot up my device. In the moment if you plug out your USB-Ethernet you may have to reboot the device. But maybe I can figure out something more convenient.
Unlimited WiFi Tethering For Any Carrier [NEVER THROTTLED]
Just figured I would share this for anyone who is sick of their tethering being throttled after a insanely small bandwidth limit. I mean if you pay for unlimited data, who are they to tell you how you can use it. Also you could technically cancel your ISP if you really wanted to and you were motivated enough to get this setup correctly. I'm have a repo on GitHub for this -> https://github.com/RiFi2k/unlimited-tethering # Unlimited Tethering Bypass tethering caps or throttling on cell phone unlimited data plans. Potentially cancel your internet and route your whole home though your unlimited data plan. Inspired from [XDA](https://forum.xda-developers.com/) forum threads. [Working Options for Unlimited Tetherting, Hotspot, Carrier Check Bypass Methods](https://forum.xda-developers.com/showthread.php?t=3825144) [Unlimited WiFi Tethering](https://forum.xda-developers.com/showthread.php?t=2914057) ## Requirements * **Unlimited data plan** * **Ability to hotspot your phone** * **Computor or Router** This is not a carrier specific method, I use Verizon but this should generally work with any carrier. It also doesn't matter if they throttle or cap you at 15GB or something, that is what we are about to work around. If you are going to go the router method it will be a lot more work but the router will handle all the traffic routing and you can just connect any device in your house to your router and it will just work. If you are just going to use your PC then you can generally have this running in ~15 to 30 minutes. I have personally used anywhere from 80-150GB of data with this method consistantly for 6+ months and never been throttled one time while my traffic was going through the tunnel. ## Overview 1) Download [Termux](https://termux.com/) app, [install openssh](https://wiki.termux.com/wiki/Remote_Access) on it, make sure you have python2 as well and simlink the `python2` command to `python`. ``` pkg install python2 py2_path=$(which python2) py_path=${py2_path%/*}/python ln -s "$py_path" "$py2_path" ``` 2) Configure authentication as explained [here](https://wiki.termux.com/wiki/Remote_Access) for SSH. If you don't already have a keypair it explains how to set up an ssh keypair and use it to authenticate to your phone from a PC. I personally used my existing SSH public key and made a folder / file `~/.ssh/authorized_keys` on Termux and dropped it in there with something like `curl "https://github.com/rifi2k.keys" > ~/.ssh/authorized_keys` if you already have your public keys on github here. 2) Hotspot your phone. 3) Run `ifconfig` inside Termux to get your current tethering local IP. It will be the only 192.x.x.x spit out and generally for andriod will be ending in 192.x.43.x. Save this. 4) Run `sshd -dD` inside Termux which starts an openssh server in debug mode to audit traffic. Your looking to see something like this as output from the above command. ``` debug1: Bind to port 8022 on ::. Server listening on :: port 8022. debug1: Bind to port 8022 on 0.0.0.0. Server listening on 0.0.0.0 port 8022. ``` 5) Now pop onto a PC and connect it to your hotspot. 6) Now SSH tunnel all the traffic from the device back through the openssh server your running on the Termux app. Now that you are on the same local network you can SSH tunnel into our saved IP address and port from earlier `192.x.43.x:8022` or similar. You can use ssh which would look something like this. If you want to use OpenSSH on Windows my recommendation would be Chocolatey package manager. https://gitlab.com/DarwinJS/ChocoPackages/tree/master/openssh ```bash TERMUX_USER="u0_a249" TERMUX_IP="192.x.43.x" TERMUX_PORT="8022" LOCAL_SOCKS_PORT="8123" ssh -D $LOCAL_SOCKS_PORT -fqgN [email protected]$TERMUX_IP -p $TERMUX_PORT ``` TERMUX_USER would be your username on the Termux app. TERMUX_IP would be the IP you got from `ifconfig` in Termux. TERMUX_PORT would be the port `sshd` is using in Termux. LOCAL_SOCKS_PORT would be the port you want to use for your local proxy. So then once you run the above ssh command you need to configure a system wide or application specific Socks Proxy which would be proxying all traffic to `127.0.0.1` for the Socks Host and whatever `LOCAL_SOCKS_PORT` is from above for the Socks Port. I use [sshuttle](https://github.com/sshuttle/sshuttle) which already handles most of the [gotchas with tcp over tcp etc](https://sshuttle.readthedocs.io/en/stable/how-it-works.html). and which also has a solution for [Windows](https://sshuttle.readthedocs.io/en/stable/windows.html) and linux. Also sshuttle generally handles setting up the Socks Proxy for you. A command for sshuttle might look like this. ## Linux ```bash TERMUX_USER="u0_a249" TERMUX_IP="192.x.43.x" TERMUX_PORT="8022" sshuttle -r [email protected]$TERMUX_IP:$TERMUX_PORT 0.0.0.0/0 -l 0.0.0.0:0 ``` ## Windows On Windows I would download [Virtualbox](https://www.virtualbox.org/). You can verify the sha256 of the files via PowerShell with `Get-FileHash C:\path\to\file.exe`. Also you might want to use [git bash](https://medium.com/@botdotcom/learn-how-to-install-and-use-git-on-windows-9deecbd6f126) instead. Then you want to make sure you launch a linux VM in [bridged mode](https://www.linuxbabe.com/virtualbo...duction-to-virtualbox-bridged-networking-mode). Then run sshuttle inside the VM following the directions here for [sshuttle in a VM](https://sshuttle.readthedocs.io/en/stable/windows.html). Inside the VM ``` sshuttle -l 0.0.0.0 -x 10.0.0.0/8 -x 192.168.0.0/16 0/0 ``` Back on your Windows machine, assuming your VM has the IP `192.168.1.200` on the bridged network. ``` route add 0.0.0.0 mask 0.0.0.0 192.168.1.200 ``` That should route traffic through the VM and the tunnel. As long as you make sure all your traffic passes through the tunnel it 100 percent shows that all your internet is being used by Termux app not your hotspot app so you need no other spoofing of hops or anything because to your phone and carrier you are just using a bunch of data in termux, you do it right you will never be throttled.
Apple iOS iPhone critical security - firewall - hardening
BACKGROUND: The most basic tenet of network security is to run a tight firewall that blocks all incoming connections that the user did not initiate (some services do require new incoming packets to go through but that is a security issue and must be dealt with separately). SECURITY ISSUE: iOS provides a firewall pf ("packet filter") but it is turned off by default and is not configured. Major security issue. (I'm using iOS 12.5.4 on iPhone 6, not 100% sure about other devices and later iOS versions. Pretty sure it affects all devices and versions, though.) SOLUTION: It's not just a solution. It's a top priority requirement for all iOS device users to lock down their firewalls. 1) jailbreak your iPhone - this is the only way to access the pf firewall and secure your iPhone 2) install a terminal app 3) change root password 4) create a pf.conf file in ~. This is the pf firewall configuration file that will be used to filter packets. In this example, everything is blocked except basic internet access and connectivity on WiFi interface that is initiated by the device. Code: scrub in all block in all #default behavior block everything block out all block quick proto tcp to 17.0.0.0/8 #Apple IPs used by analytics - a concern, kept connecting unsolicited pass out on en0 inet proto udp from any to any port = 53 keep state #required for DNS pass out on en0 inet proto tcp from any to any port { 80 443 } keep state #HTTP and HTTPS pass quick on en0 inet proto udp from any port { 67 68 } to any port { 67 68 } keep state #WiFi DHCP 5) enable the firewall with the above configuration: Code: pfctl -F all -f ~/pf.conf -e COMMENTS: pf is also limited in comparison with a Linux analog iptables in that it cannot filter by process ID. This iOS shortcoming is awful and a security issue. ADDITIONAL HARDENING: As a next step you can close all unneeded serial ports/TTYs. For example , on iPhone 6 you will have cell signal with the ability to use cell services and use Wi-Fi if you: chmod 000 /dev/tty chmod 000 /dev/tty.* chmod 000 /dev/uart.* chmod 000 /dev/cu.* (except cu.debug is required for cell connectivity and cu.gas-gauge for battery stats, so must also chmod 006 /dev/cu.debug and chmod 006 /dev/cu.gas-gauge) Then, restart CommCenter, bluetoothd, wifid. You can unload com.apple.nfcd entirely because you will not be able to change permissions/close nfc's ports/TTYs. Unload com.apple.BlueTool, it's Bluetooth and it's a hack vulnerability, until at least you can filter it.