Hi All,
I have a stupid Juniper VPN device at work which does not support 64 bit linux clients using netconnect. I have found ways around this previously, but now we are setting up 2 factor auth which throws a lot of javascript into the mix, making the scripts I used pretty much obsolete. The Junos pulse client works well for android, so I am thinking I want to use an android device as a router. Connecting to the VPN and using wifi tethering does not work, same with USB tethering does not work, and those are not exactly what I want anyway.
So basically I want to be able to connect my android device to my wifi here at home, connect to the VPN on it, run a script to do my setup on the Android device, lastly add a route on my client pc to tunnel through the android device. here is what I tried so far on the device:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
ip rule add from all to 10.0.0.0/8 fwmark 0x3c lookup 60
and on the client PC:
Code:
route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.29
where 192.168.1.29 is the IP of my android device, and 10.0.0.0/8(I know its lazy) is the IP range I want to go through tun0 on the device. This is however not working.
The only thing I need to do on a standard linux box to do this would be:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
And setup the same route command on the client but point it at the linux box instead. This currently works, but when we decide to flip the switch and use the 2 factor auth only I will not be able to make it work on a standard linux box, but 2 factor does work on android via the Junos app.
I fear I am missing something simple in Android land, please help...
Related
Hi, I'm doing some porting for the phone.
Everything goes fine but except...
# iptables -A INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state --state ESTABLISHED -m set --match-set NOCLIP src -j ZHANG
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:372
iptables v1.3.7: Couldn't find match `set'
A patched ipset works and the kernel modules of it seems to be loaded correctly and I can define sets.
# ipset -L GOOGLE
Name: GOOGLE
Type: nethash
References: 1
Header: hashsize: 225 probes: 1 resize: 50
Members:
64.233.160.0/19
8.6.48.0/21
64.68.88.0/21
4.3.2.0/24
66.249.64.0/19
173.194.0.0/16
8.8.8.0/24
74.125.0.0/16
8.8.4.0/24
216.239.32.0/19
209.85.128.0/17
66.102.0.0/20
72.14.192.0/18
64.68.80.0/21
So there are problems with iptables.
I've looked into external/iptables/Android.mk and found that set is not enabled, and, this version of iptables seems don't know --match-set. Abort.
And I also tried the latest one which version number is 1.4.7 on github but I can't get it compiled.
And if you are Chinese and you are interested in FanQiang(f***ing GFW) contact me and let's do it together. As far as I know now only tor works on Android phone except VPN.
I've been trying all day to get my Huawei Ascend android phone to use Cricket's WAP proxy for apps like android marketplace, but it never seems to work. I still get some error stating that Data Connection is not working or has timed-out. All that works is the Browser and Cricket's built-in apps, though they worked before I was using the autostart.sh file anyways.
I tried different variations on the code and none of them seem to work.
This is the current code I have for my auotstart.sh file.
Code:
#!/system/bin/sh
export PROXYHOST=wap.mycricket.com
export PROXYPORT=8080
export MMSHOST=mms.mycricket.com
export MMSPORT=80
#you shouldn't have to edit anything below this line
export PATH="$PATH:/system/bin"
until netcfg|grep -v DOWN|awk '{print $1}'|grep -v wlan|grep -v lo >/dev/null 2>&1 ; do sleep 1 ; done
export INTERFACE=`netcfg|grep -v DOWN|awk '{print $1}'|grep -v wlan|grep -v lo`
export PROXYIP=`ping -c 1 $PROXYHOST|grep PING|cut -d\) -f1|cut -d\( -f2`
export MMSIP=`ping -c 1 $MMSHOST|grep PING|cut -d\) -f1|cut -d\( -f2`
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A OUTPUT -o $INTERFACE -p tcp -d $MMSIP --dport $MMSPORT -j DNAT --to-destination $MMSIP:$MMSPORT
iptables -t nat -A OUTPUT -o $INTERFACE -p tcp --dport 80 -j DNAT --to-destination $PROXYIP:$PROXYPORT
iptables -t nat -A OUTPUT -o $INTERFACE -p tcp ! -d $PROXYIP -j REDIRECT --to-port 1025
u2nl $PROXYIP $PROXYPORT 127.0.0.1 1025 >/dev/null 2>&1 &
sh -c "sleep 5;kill `ps|grep nk.bla.android.autostart|grep -v grep|awk '{print $2}'`" >/dev/null 2>&1 &
exit 0
Is that any way to get it working?
ummm, why are you doing it that way? If you have the Android plan, all you need to do is set-up the APN if it's not working.
xlarkascendingx said:
ummm, why are you doing it that way? If you have the Android plan, all you need to do is set-up the APN if it's not working.
Click to expand...
Click to collapse
I'm not on the Android plan, so I need to use autostart.sh to get apps to work with cricket's WAP Proxy.
That sucks, why don't you just get the android plan haha.
xlarkascendingx said:
That sucks, why don't you just get the android plan haha.
Click to expand...
Click to collapse
Because I don't have $55 a month. DO you wanna give me $55/month?
Just suck it up, pay the extra $10, or continue to have problems. Your choice.
Well you obviously have 45 dollars a month, otherwise you wouldn't have internet period. It's really not that big of a difference in price. Plus, you paid for the phone lol.
tzbigworm said:
Just suck it up, pay the extra $10, or continue to have problems. Your choice.
Click to expand...
Click to collapse
How about giving a real answer to my question or not posting in this thread at all.
xlarkascendingx said:
Well you obviously have 45 dollars a month, otherwise you wouldn't have internet period. It's really not that big of a difference in price. Plus, you paid for the phone lol.
Click to expand...
Click to collapse
Well, actually the plan is much cheaper than that, lol.
I'm not sure how I'm getting Internet, but since I am getting it I'm going to use it.
try changing the ports to 8080, where it says tcp in the section you may not have to edit or whatever. i always use 8080
xlarkascendingx said:
try changing the ports to 8080, where it says tcp in the section you may not have to edit or whatever. i always use 8080
Click to expand...
Click to collapse
I tried that, but it still didn't work.
Did this problem ever get resolved?
Hello All,
Starting 1.5.3 , DroidWall introduced a experimental feature called "CustomScripts" where scripts can be defined by user will be executed by DroidWall .
More details on http://code.google.com/p/droidwall/wiki/CustomScripts
This thread is to collect all custom scripts by users.
Iptables ->
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
http://linuxconfig.org/collection-of-basic-linux-firewall-iptables-rules
Script for allowing selected IP's for selected program
Hello,
Could somebody please post a Droidwall script for allowing a specific program to communicate only with selected IP's?
I want to allow B-Folders to talk only to my two desktops machines and reject anything else.
Thank you.
Robert.
This two are very useful to block/allow packs sending from browsers...
# Always allow connections to 192.168.0.1, no matter the interface
$IPTABLES -A "droidwall" --destination "192.168.0.1" -j RETURN
# Block connections to 119.161.212.151, no matter the interface
$IPTABLES -A "droidwall" --destination "119.161.212.151" -j "droidwall-reject"
Interesting program..
was just thinking about something along this line earlier in the week.
Will keep an eye on it and play a little.. when time permits..
it would be nice to block permissions on programs that extend the normal wants and needs a program should have..
Is it possible to block websites without using ip, adresses? Im having some trouble blackslisting some websites. Help much appreciated.
Stitch!
Use only Droidwall and not LBE Privacy Guard as firewall
Code:
iptables -D OUTPUT -j droidwall
iptables -I OUTPUT 1 -g droidwall
To revert back to old settings ( both Droidwall and LBE Privacy guard as firewall)
Code:
iptables -D OUTPUT -g droidwall
iptables -I OUTPUT 2 -j droidwall
lets make a custom-script collection for Apps
Hey Guys, lets make a collection for apps, there are make connetions,there are unneeded for the normaly daily use(there are only for advertising). I Start with Shazam
Code:
$IPTABLES -A "droidwall" --destination "5.44.16.214" -j "droidwall-reject"
$IPTABLES -A "droidwall" --destination "5.44.16.223" -j "droidwall-reject"
$IPTABLES -A "droidwall" --destination "5.44.16.228" -j "droidwall-reject"
$IPTABLES -A "droidwall" --destination "185.31.0.0/16" -j "droidwall-reject"
Code:
# Allow SSH (port 22) access to the phone
$IPTABLES -A afwall -p tcp --sport 22 -m owner --uid-owner 0 -j RETURN
I don't know why or how but my mac address changes everytime I turn on the wifi to random mac address from texas instruments instead of motorola mobility
Sent from my XT720 using xda premium
take a look here:
http://forum.xda-developers.com/showthread.php?t=1244982&highlight=mac
probably the offending part is here:
Code:
service wlan_loader /system/bin/wlan_loader \
-f /system/etc/wifi/fw_wlan1271.bin -i /system/etc/wifi/tiwlan.ini \
[b] -e /pds/wifi/nvs_map.bin [/b]
class post-zygote_services
disabled
oneshot
and more preciously in pds/wifi/nvs_map.bin
probably the wlan_loader doesn't look there, or doesn't interpret it right ..
but without additional info it is just speculation ...
basically when the wireless module is unloaded, you don't have wlan0 interface.
when you (actually the phone services) load the module, then wlan0 appears, but with 00:00:00:00:00:00 mac address (if the module is the stock one)
after wlan_loader do his job, the mac address is changed to the one specified in the nvs_map.bin file
p.s. I did not check the above statement now, it is from my memories, when i had trouble with my phone mac ....
Hey All,
Hope this hasn't been covered. I did search a bit and found some clues, but not something that totally worked for me. I figured I'd put up a post telling y'all how I made it work. I suppose this post is just more clues for somebody else, but at least it seems like a different set of clues than what I was able to find.
I've wanted to use the phone's USB connection to use work's Internet connection to download updates to my phone and conserve my measly 2GB/month data.
Running Cyanogenmod 9.1.0. Don't know how this would translate to others.
The tricks to reverse USB tether are
A) Get the phone to connect to a Linux host over the USB as in a normal tether
B) Set up IP forwarding and NAT on the Linux host (which has a perfectly fine Ethernet connection to the Internet)
C) Change the phone's default route to point at the Linux host
D) Change the phone to use the same DNS servers visible to the Linux host
A-C were pretty easy. D was actually the hardest. Here's my notes I'm storing on the phone:
***********************************************************************
* On the linux host
# ip addr show
2: p2p1: ...
inet 10.2.59.107/18 brd 10.2.63.255 scope global p2p1
7: usb0: ...
inet 192.168.42.151/24 brd 192.168.42.255 scope global usb0
* This part is classic "setting up a NAT" which is easily googled.
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o p2p1 -j MASQUERADE
# iptables -A FORWARD -i p2p1 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i usb0 -o p2p1 -j ACCEPT
* This tells us some IP addresses to use as nameservers.
cat /etc/resolv.conf
# nameserver 10.2.10.24
# nameserver 10.2.10.26
***********************************************************************
* On the android device disable all other methods of accessing the internet.
* That is, turn off Wi-Fi and System Settings, Wireless & networks, Mobile
* networks, Uncheck "Data enabled". This might not be necessary. I did it to
* make sure the rest of what I was doing worked.
* Try 'ip route' without other args and delete any existing default route if
* you have one.
# ip route add default via 192.168.42.151 dev rndis0
# getprop | grep dns
[net.change]: [net.dns2]
[net.dns1]: [172.26.38.1]
[net.dns2]: [172.26.38.2]
[net.dnschange]: [1]
[net.rmnet_sdio0.dns1]: []
# setprop net.dns1 10.2.10.24
# setprop net.dns2 10.2.10.26
* * Avoid the Primrose Path. This sort of acted like it would work, but then
* * didn't at all.
*
* # cat /emmc/resolv_work.conf
* nameserver 10.2.10.24
* nameserver 10.2.10.26
*
* # pkill dnsmasq
* # dnsmasq -d -r /emmc/resolv_work.conf