Slashdot is running a story about how lots of Android apps listen on ports for incoming connections.
https://it.slashdot.org/story/17/04/28/2343222/open-ports-create-backdoors-in-millions-of-smartphones
I was quite surprised by this as I thought virtually all Android apps would be outbound only and wouldn't need to create a listening socket, unless a genuine server (SSH/FTP/HTTP etc). But I ran an "netstat -apn | grep -i listen " on my phone, and to my surprise my mobile provider VoIP app is listening on a port (again I thought it would be outbound only). And worse I can happily connect to it from my WiFi.
I added iptables rules to block inbound connections but allow outbound unrestricted. The VoIP app seems happy enough.
But also surprised (for me this is LineageOS, but I assume common to all androids), that the default iptables rules don't block inbound connections, with an API allowing apps to request inbound on specific ports or something.
My iptables rules are below (covering v6 too):
Code:
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j DROP
ip6tables -A INPUT -p icmp -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j DROP
I had a further look at one of the apps I have listening. I picked the popular Plex client app. Here is the netstat output (it also listens on a number of loopback ports but no big deal there):
tcp6 0 0 :::44411 :::* LISTEN 13084/com.plexapp.android
So listens on IPv4 and IPv6. Telneting to this port and it seems to have some sort of webserver listening on this:
Escape character is '^]'.
get /
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain; charset=UTF-8
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1209600
Failure: 500 Internal Server Error
Connection closed by foreign host.
Not sure why a client app like this needs to listen really.
I have slightly modified my iptables rules to allow IPv6 SLAAC to work properly and to allow SSH (as an example allowed incoming service) in from my local IP addresses (and IPv6 local ULA addresses) on WiFi.
Code:
#!/system/bin/sh
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 33791 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -p udp --dport 33791 -j ACCEPT
ip6tables -A INPUT -s fda1:12B0:97A1::/64 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -j DROP
Related
Hello!
First of all: Thank you daveba for your great work! ( http://forum.xda-developers.com/showthread.php?t=766569 ).
I've got a Desire Z and installed Cyanogenmod 6.1.1.
With the usual settings of redsocks the packets were send again and again to it. So I had to insert the iptables rule
iptables -t nat -I OUTPUT 1 -d <my proxy ip> -p tcp --dport 80 -j ACCEPT
to send the packets to my proxy directly to it.
(My proxy listens to port 80/tcp only no matter which protocol (http,https) )
After that all ( browser, Google Market, youtube... ) apps but Google Maps worked.
With the compiled transproxy from http://transproxy.sourceforge.net all but the downloads in Google Market worked. (I considered the ports 80, 443 and 5228. )
Has someone the same problems with these tools and knows how to fix it?
Thx!
Hello all,
I lost a day of my life, used FF with over 80 open tabs, aroung 2,5gb ram...to find a solution to creat a ssh tunnel....nothing worked
In windows on my work laptop i had only to run(i also configured my .ssh/config file with my work proxy ip):
ssh - D 1080 -p 1822 [email protected]
Then point my firefox network connection to my localhost socks 5 proxy on port 1080
And i would surf the net protected or not bloked by company firewall.
I saw on the market sshtunnel i tried it...it connects but when i check the outgoing ip its still the carriers ip and not my ssh server.
I as it doesnt gives any errors i dont know where it fails... the iptable rules for global connections?
Can someone help me out please?
(Dropbear doesnt has -D and i couldnt find how to do dynamic port fw with this ssh client)
Im on Android 4.2.2
Sent from my SGS2 on SB4.2.2
when i do:
iptables -vL -t nat
i see some errors, or warning:
getprotobynumber(int)(3) is not implemented on Android
i tried setting the iptable rules manually, but with no luck
maybe someone can tell me what should the rules be like:
i tried:
iptables -t nat -A OUTPUT -d 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,127.0.0.1 -j ACCEPT
iptables -t nat -A OUTPUT -p 6 --dport 80 -j DNAT --to 127.0.0.1:1080
i tried: connectbot+proxydroid
connected on ssh to: [email protected]
added Dynamic port filtering to: 8123
configured proxydroid as socks, localhost on port 8123
no connection could be made from any browser (default one, or opera)
so, ill try to installing firefox mobile with proxy mobile addon, to see that the socks proxy created by the ssh tunnel is working, and then it means that the iptables rules from proxydroid aren't ok ... or something
im thinking that on PC at work as i use a proxy to get out on internet, i had to configure SSH to use that proxy to be able create the tunnel
after that i configured firefox to use that tunnel/socks proxy
on my mobile phone i have the same thing with my mobile 3G carrier, as it uses a proxy in the APN settings... dont i have to configure somehow the ssh also? or set some iptable rule to exclude the ssh connection from redirecting to localhost:8123 ?
PS: my iptables version is 1.4.11.1
i tried configuring proxydroid to my 3G IP and the 8123 port, still no luck
May want to change localhost port
System Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private
Ports (49152-65535)
I would change from a User Port (8123) to a Dynamic port like 56001. That may fix your problem.
I have this script running on boot and cycling on a timer to make my wifi hotspot send data through a PIA VPN. PIA will assign a single port allowed to be used for forwarding and I now want to forward that assigned port to a PC connected to the wifi hotspot. The PC's local IP address is 192.168.1.252 (hotspot assigned but I can set it static) and the port number is 40212. Is there a way to add that routing to this script?
while sleep 30; do
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 8.8.8.8
ip rule add from 192.168.1.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.1.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
Hi
Please sign up on forums and post in general Q/A
http://forum.xda-developers.com/general/help
Though personally I think you can find better information on Linux Admin sites.
Probably try using man pages for iptables ?
Good day !
When clients connect to Android Tethering they get IPs of the private Tethering network. There is plenty of info available on how to NAT/Masquerade the WiFi tethering clients (for example into a VPN), but I haven't managed to find how should I change or re-write IPTABLES and ROUTES in order to avoid natting/masquerading and just make ordinary routing from the tethered devices IP to the other networks (or a VPN).
Example: Local Tether client 1 gets : 192.168.43.1/24 Local Tether client 2 gets : 192.168.43.2/24 ... and at the VPN interface we have the 10.1.0.0/24 Network. Disabling NAT and adding the routes in an ordinary router is easy, but I need help to do it on my Android device. Thank you. Peter
HI Peter
I found this code from my friend. Just save the code with text editor like jota+ (from Google play store).
This code will forward all traffic from WiFi tethered clients to vpn. Just run via terminal emulator.
Code:
#!/system/bin/sh
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
ndrancs said:
HI Peter
I found this code from my friend. Just save the code with text editor like jota+ (from Google play store).
This code will forward all traffic from WiFi tethered clients to vpn. Just run via terminal emulator.
Code:
#!/system/bin/sh
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
Click to expand...
Click to collapse
Thank you very much NDrancs. Are you sure its just routing the packets with their original IP ? Its just because on the fourth line I see a Masquerade. I will check. Thank you so much for your time.
Peter
I have little knowledge about tech related stuff but what I knew from my experience is that hacker's DNS's which are pri: 39.39.39.39 , sec: 182.176.100.141 made possible for anyone can remotely view my phone just like using "Remote Desktop Viewer" software.
I had used following methods to prevent DNS from changing but was unsuccessful (because DNS changes instantly when on the other side someone tries to connect):
(1) Following rules are added to "20-dns.conf" file (system/etc/dhcpcd/dhcpcd-hooks), Afwall+ custom script and init.d script but its only set DNS after reboot or when I run the script each time and do not prevent DNS from changing:
setprop net.dns1 2208.67.222.22
setprop net.dns2 2208.67.222.22
setprop net.eth0.dns1 208.67.222.222
setprop net.eth0.dns2 208.67.220.220
setprop net.rmnet0.dns1 208.67.222.222
setprop net.rmnet0.dns2 208.67.220.220
setprop dhcp.tiwlan0.dns1 208.67.222.222
setprop dhcp.tiwlan0.dns2 208.67.220.220
setprop net.ppp0.dns1 208.67.222.222
setprop net.ppp0.dns2 208.67.220.220
setprop net.pdpbr1.dns1 208.67.222.222
setprop net.pdpbr1.dns2 208.67.220.220
I also add the above rules to "build.prop" but result was the same.
(2)Installed Override DNS (root), it also does not prevent DNS change. It only set DNS (google, openDNS etc) after every reboot/connectivity change and cannot detect DNS change. I tried to change DNS from "Terminal Emulator" and was able to change DNS while "Override DNS" was ON. Another problem with "Override DNS" is that it shows an error (Network device name is null, The error message is netInfo is null,something went wrong) when data/wifi is off. While hacker does not need me to ON data/wifi to achieve his goal.
(3) Following IPTABLES rules are added to Afwall+ custom script and init.d script (didn't worked):
su
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 8.8.8.8:53
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 8.8.8.8:53
iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 8.8.8.8:53 || true
iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 8.8.8.8:53 || true
iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 8.8.8.8:53
iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 8.8.8.8:53
&
$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 208.67.222.222:53 || true
$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 208.67.222.222:53 || true
(4) I use terminal emulator by using "getprop | grepdns" command to see my active DNS servers. But its not showing recent changes made to DNS from other side except changes made by myself.
Once I installed "Spyhunter4" in PC and "advance DNS protection system" in "Spyhunter4"did the job so far. It showed popup "Your DNS setting has changed, Do you want to keep changes?" every time when DNS change attempt was made from other side and when I clicked on NO it revert back DNS to google, openDNS etc. This pop-up appeared like 100 times in a minute but later when I connect my PC to internet he (the hacker) was able to make changes to "comodo firewall" rules and Spyhunter4. did not worked anymore. When you open Spyhunter4 it updates its database everytime you launch it and that was also disabled. I know that because I had seen many IP's (belonging to hacker) in comodo killswitch, established connection to my PC.
I think something which locks my specified DNS (google, openDNS etc) and prevent it from changing will solve the problem.
Maybe experts here will reach to the root of the problem by simply looking into these DNS's:
[39.39.39.39]
[182.176.100.141]
But again I want to add here that the "hacker" does not need me to connect to internet to change my DNS servers or viewing my phone.
[Hacker= works in NSA type agency (I am not wanted by any agency but the guy uses official resources for personal gain, for his friend]
Regards
Both websites show up only in spamhaus go to https://www.spamhaus.org/lookup/ to see. As far as iptables is concerned you should be blocking the input to those ips. To see your network traffic use a sniffer. It seems though that the hacker is using a RAT remote access trojan or a script. For your phone I would take out the sim set up firewall rules and then connect to another network and see what happens. I would install a new updated rom and see what happens, you can also try safe mode. The problem on your computer is another story... The key to do these things is to get all the data you can pcap files user access logs and then search online for help. On the computer is seems that spyhunter does work so trace back what turned it off. AFAIK using NSA tools especially the unreleased ones (wiki 7) gets you fired so maybe someone at the NSA will believe you if you have the data to prove it.
Thanks a lot sir. You are right that I should block input to those ip's. And i think it will work.
Applied Protocol said:
Both websites show up only in spamhaus go to https://www.spamhaus.org/lookup/ to see. As far as iptables is concerned you should be blocking the input to those ips. To see your network traffic use a sniffer. It seems though that the hacker is using a RAT remote access trojan or a script. For your phone I would take out the sim set up firewall rules and then connect to another network and see what happens. I would install a new updated rom and see what happens, you can also try safe mode. The problem on your computer is another story... The key to do these things is to get all the data you can pcap files user access logs and then search online for help. On the computer is seems that spyhunter does work so trace back what turned it off. AFAIK using NSA tools especially the unreleased ones (wiki 7) gets you fired so maybe someone at the NSA will believe you if you have the data to prove it.
Click to expand...
Click to collapse
Can you briefly explain to me how to set those iptables rules. As I said in the beginning of my thread that I am new to these kind of stuff. I followed instruction from here (https://forum.xda-developers.com/ge...-to-change-dns-android-device-t3273769/page1
) when I tried all methods described in my thread. Thanks in advance.
Ykhann said:
Can you briefly explain to me how to set those iptables rules. As I said in the beginning of my thread that I am new to these kind of stuff. I followed instruction from here (https://forum.xda-developers.com/ge...-to-change-dns-android-device-t3273769/page1
) when I tried all methods described in my thread. Thanks in advance.
Click to expand...
Click to collapse
here is a full iptables script
Code:
#!system/bin/sh
###################################
#
# File name paranoidfw.sh
# Iptables secure paranoid Firewal script for Android
# Loging Everything With DNS protection
# By Applied Protocol
#
###################################
#
IPTABLES=system/bin/iptables
IP6TABLES=system/bin/ip6tables
# DNS servers
DNS_SERVER="1.1.1.1 1.0.0.1"
DNS_SERVER6="2606:4700:4700::1001 2606:4700:4700::1111"
# Block IP
BAD_IP=" "
BAD_DNS="39.39.39.39 182.176.100.141"
### INPUT Chain
# Start with New Rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IP6TABLES -F
$IP6TABLES -F -t nat
$IP6TABLES -X
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -F -t mangle
$IP6TABLES -t mangle -X
## Connection Tracking
$IPTABLES -A INPUT -m state --state INVALID -j NFLOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -m state --state INVALID -j NFLOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IP6TABLES -A INPUT -m state --state INVALID -j DROP
$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### INPUT Chain
## Block IP
for ip in $BAD_IP
do
$IPTABLES -A INPUT -s $ip -m state --state NEW -j NFLOG --log-prefix "DROP Bad IP NEW" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -s $ip -m state --state NEW -j DROP
$IPTABLES -A INPUT -s $ip -m state --state ESTABLISHED,RELATED -j NFLOG --log-prefix "DROP Bad IP EST" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -s $ip -m state --state ESTABLISHED,RELATED -j DROP
done
## Block Bad DNS
for ip in $BAD_DNS
do
$IPTABLES -A INPUT -p udp -s $ip --dport 53 -m state --state NEW -j NFLOG --log-prefix "DROP Bad DNS NEW" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -p udp -s $ip --dport 53 -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp -s $ip --dport 53 -m state --state NEW -j NFLOG --log-prefix "DROP Bad DNS NEW" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -p tcp -s $ip --dport 53 -m state --state NEW -j DROP
$IPTABLES -A INPUT -p udp -s $ip --dport 53 -m state --state ESTABLISHED,RELATED -j NFLOG --log-prefix "DROP Bad DNS EST" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -p udp -s $ip --dport 53 -m state --state ESTABLISHED,RELATED -j DROP
$IPTABLES -A INPUT -p tcp -s $ip --dport 53 -m state --state ESTABLISHED,RELATED -j NFLOG --log-prefix "DROP Bad DNS EST" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -p tcp -s $ip --dport 53 -m state --state ESTABLISHED,RELATED -j DROP
done
## Selected DNS
for ip in $DNS_SERVER
do
$IPTABLES -A INPUT -p tcp -s $ip --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $ip --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
done
for ip in $DNS_SERVER6
do
$IP6TABLES -A INPUT -p tcp -s $ip --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -p tcp -s $ip --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
done
### default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j NFLOG --log-prefix "DROP" --log-ip-options --log-tcp-options
## Make sure that loopback traffic is accepted
$IPTABLES -A INPUT -s 127.0.0.1 -j -j NFLOG --log-prefix "LoopBack" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
### OUTPUT Chain
## Block IP
for ip in $BAD_IP
do
$IPTABLES -A OUTPUT -d $ip -m state --state NEW -j NFLOG --log-prefix "DROP Bad REQ NEW" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -d $ip -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -d $ip -m state --state ESTABLISHED,RELATED -j NFLOG --log-prefix "DROP Bad IP REQ EST" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -d $ip -m state --state ESTABLISHED,RELATED -j DROP
done
## Block Bad DNS
for ip in $BAD_DNS
do
$IPTABLES -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW -j NFLOG --log-prefix "Bad DNS NEW udp" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p udp -d $ip --dport 53 -m state --state ESTABLISHED,RELATED -j NFLOG --log-prefix "DROP Bad DNS EST " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -p tcp -d $ip --dport 53 -m state --state ESTABLISHED,RELATED -j DROP
done
## Selected DNS
for ip in $DNS_SERVER
do
$IPTABLES -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j NFLOG --log-prefix "Other DNS REQ" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -p tcp --dport 53 -j NFLOG --log-prefix "Other DNS REQ" --log-ip-options --log-tcp-options
$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination $ip:53
$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $ip:53
done
for ip in $DNS_SERVER6
do
$IP6TABLES -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW -j ACCEPT
$IP6TABLES -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j NFLOG --log-prefix "Other DNS REQ" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -p tcp --dport 53 -j NFLOG --log-prefix "Other DNS REQ" --log-ip-options --log-tcp-options
$IP6TABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination $ip:53
$IP6TABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $ip:53
done
exit
### EOF ###
To explain this script is mainly a DNS script it changes over your DNS requests to a different ip it does need NAT for ipv4 and ipv6 compiled in the kernel.
All logging is done with all the info of the packet (not pcap)
First define your good DNS and bad DNS and other ip to block (if blank comment it out with # in the commands below) do not use ip for DNS the loggs willnot be clear
Then we start from fresh iptables chains and zeroing the chains
next is connection tracking turned on so unsolicited requests do not work it will drop and log
Bad ip and bad DNS ip both block ip for DNS this is only port 53 it will drop and log new connections and old ones it logs them separately
Selected DNS is the preferred DNS servers only to be allowed in unless it is requested this allows only old connections
any non requested (new) connections are dropped and logged
loopback is allowed and logged also
the same idea is in the OUTPUT tables
Any other DNS requests are logged and passed on to be ip changed.
That said the script is used by checking the logs (a colored log viewer helps!) and seeing how many times the rules where hit this can be done with
Code:
iptables -L
ip6tables -L
If you do believe that someone is using NSA tech on you I would save the phone image with abd and dd and share it with the security community (first saving your data and deleting it temporary)