Related
Hi XDA community!
I've been working on my first real Android application for a few weeks now, and I just released in on the Google Play Store.
I'm posting here because some developers around here could be interested
It's a front-end to dropbear, a minimalist SSH server.
It allows you to SSH on to your Android phone and also to use SCP.
It is highly configurable and accepts a master password and/or public keys.
Feel free to give feedback / reports / anything.
https://play.google.com/store/apps/details?id=me.shkschneider.dropbearserver
Source is up on github and many thanks to the people listed in my README file.
Well, I installed it on a rooted Samsung Galaxy 2 with NeatRom kernel (Android 4.0.3). Installation is ok but when I start the server the applications remains blocked on the
window Starting server Please wait ...
0% ... 0/100
I waited several minutes but it does not move
Does this app have any advantages over SSHDroid? (Other than lack of ads)
It is just another alternative.
Free
No ads
Open-Source (github)
Start/Stop/Started/Stopped intents for broadcasts
Configurable
Root/non-root access
...
Sadly I can't get this to run on my Evo3d gsm. Everytime I try to connect I get "Error connecting: Connection refused" even on the adb shell:
Code:
1|[email protected]:/ # ssh -p 1022 [email protected]
ssh -p 1022 [email protected]
ssh: exited: Error connecting: Connection refused
ssh on the adb shell works with other computers in the local network.
I tried port 22 and 1022 with the same result, and tried almost every combination of the options. Certificates did not help either. One strange thing is, that i get two ips one is the usual unknown.external.ip.adress and the other is not my normal class c (192.168.0.xxx) ip i get over wlan but some 10.156.xx.xx ip. After some digging i found out, that thats the ip of the rmnet0 interface.
If you need any more information I am happy to provide you these as best as I can.
ls /sys/class/net returns:
Code:
dummy0
gannet0
ip6tnl0
lo
rmnet0
rmnet1
rmnet2
rmnet3
rmnet4
rmnet5
rmnet6
rmnet7
sit0
wlan0
I couldn't get dropbear to start on my GNex, but OK on the N7. Dropbear starts OK if I run it in a terminal. GUI just stuck at 'server stopped'.
Sent from my Nexus 7 using Tapatalk 2
Just updated, and now force closes on both
Sent from my Nexus 7 using Tapatalk 2
Latest update works great, thanks again
Sent from my Nexus 7 using Tapatalk 2
Not working for me on Moto XT910 with MIUI ICS. Even though I allowed it root, it forever says "Root privileges KO, Dropbear Status KO, Server status error"
I know the thread is a bit old and there is already a second release of this app, but I couldn't find any thread about it.
I have been running the server successfully and managed to make a connection over the local network. However, I get timed out when trying to connect over the mobile network. This should be possible, right? Or am I missing something here?
Thanks,
HolySid
where should I place my .ssh hosts file?
What I wanted was a simple, secure way to access my home computer remotely from my android phone. I know there are vpn options but I’ve seen that cause battery drain issues if in constant use, and also is more than I wanted/needed to setup. I know I could just setup a ssh server but leaving port 22 open on the remote computer for anyone to scan and hack the password seemed too insecure for me. So I came up with this solution and have been using it for about 2 years now without any problems. I thought maybe I should share this method since it may be of use to someone else and I don’t know of anyone else putting all these together for use with android.
What this does:
By running a small script on your android phone in terminal (only 2 commands), your phone knocks 3 specific ports, in a specific order (like a combination lock), your remote computer recognizes this order and opens port 22 for 10 sec. Your script then ssh’s the remote computer on port 22 and you log in. The port 22 on the remote computer closes so no one else can see it, but the keep-alive feature keeps your ssh session open so you can do whatever you need, for as long as your like, without worrying about someone port sweeping the remote computer and seeing the port open, or brut forcing a ssh password on it. You with me so far?
Now the ssh session also uses port forwarding to forward port 5900 from the remote computer to port 5900 on the localhost of the android phone. Now you can open your vnc client and connect to the remote computer through your ssh tunnel and see your x11 desktop. So you know also have a secure VNC connection! All this is done securely and only runs ondemand.
While this may look like a lot to setup, it’s actually quite easy and should only take about 15min tops. This tutorial should be complete but if I’ve forgotten anything, let me know and I’ll be sure to update this page.
In other words, run two simple commands within a script and you have secure access to your remote computer from your phone! Enjoy!
Pros:
- Secure
- Works on 3G and wifi
- Runs on all android versions
- Works on all x11 GUI’s (gnome, kde, etc). Assuming a VNC session is also desired.
- Fun!
Problems:
- This only works on linux computers, although I’m sure there is a way to setup port knocking on windows. I have no use for this, but if people are interesting, I can add a way to my tutorial as well.
Howto:
Setup Remote Computer:
First we need to setup the remote computer. This is geared towards Debian/Ubuntu but small adjustments should have it working on all distros (I’m using Debian Squeeze personally). Let’s begin:
First we need to install a few packages if not already there:
Code:
apt-get install openssh-server x11vnc knockd
Now lets configure your ssh daemon. Using nano or another text editor, edit /etc/ssh/sshd_config:
Change the following line to read as follows:
Code:
PermitRootLogin no
This will disable root login, so you will login in as a user and then su to root (You can leave root login if desired, it’s just less secure and not recommended).
Next we need to edit our iptables, so open /etc/network/if-pre-up.d/iptables and add the following:
MAKE A BACKUP FIRST OF THIS FILE
Code:
# Accepts all established inbound connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
iptables -A OUTPUT -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
Now we setup our port knocking. Edit /etc/knockd.conf:
Code:
[options]
UseSyslog
[openSSH]
sequence = port1,port2,port3
seq_timeout = 5
command = /sbin/iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
cmd_timeout = 10
stop_command = iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j DROP
tcpflags = syn
[closeSSH]
sequence = port1,port2,port3
seq_timeout = 5
command = /etc/init.d/ssh stop
tcpflags = syn
The section [openSSH] is what opens the port for 10 sec by running the iptables command and then drops the packets after the time expires, running the stop_command. The section [closeSSH] is not needed. It was a failsafe I use in case I want to disable ssh if I thought I was getting hacked and could not login. This is also left to show how you can use the knocking to run different commands using another sequence of ports (for ftp, etc.)
Now lets restart the network interface and restart the knock daemon:
Code:
ifconfig eth0 down #adjust to whatever interface you use normally
ifconfig eth0 up
dhclient
/etc/init.d/knockd restart
/etc/init.d/sshd restart
Test your internet and make sure it works. To make sure you have it setup to run on boot, first determine your runlevel:
Code:
runlevel
Make sure knockd, ssh are in the /etc/rcX.d (where X equals your runlevel). If not, add it
Code:
ln -s /etc/init.d/knockd /etc/rcX.d/S02knockd
And so on for shh if needed, (again, adjust X to equal your runlevel)
Setup X11VNC password:
Code:
x11vnc --store password
create a script for ~/bin/x11vncserver
add this to the script
Code:
#!/bin/bash
x11vnc -safer -forever -usepw -noxdamage
The “-noxdamage” fixes a display problem of the desktop not updating in the android vnc client. Now if using gnome and you only care about vnc login for one user then, goto System → Preferences → Startup Applications → Add →
Name = VNC Server
Command = x11vncserver &
Or add to GDM for access to any user, add to /etc/gdm3/Init/Default:
Code:
x11vnc -safer -forever -usepw -noxdamage
DONE! (KDE will be similar but slightly different to load on login, post if help is needed)
Setup android phone:
create script called knockh in /system/xbin. Then add this:
Code:
nc -z [ipaddress] port1 port2 port3
ssh -L 5990:localhost:5900 [email protected][ipaddress]
Replaces the ipaddress with your own (google “what is my ip” if you don’t know your external ip). Replace the ports with the ones used in the config file above for knockd. Change the user to whatever user has ssh rights. Then
Code:
chmod 755 /system/xbin/knockh
Now run knockh in the terminal and you should see a login for ssh on your remote computer.
Next download “android-vnc-viewer” from the market (it’s free). Create a new connection by selecting “new” from the dropdown box.
Create a nickname, enter your x11vnc pasword, address is “localhost” and port is “5900”. For 3G connections, I recommend 8 colors, for wifi 256. I also check the “Local mouse pointer” in the checkbox. Now click connect and see your desktop!
(If you are on your local wifi network be sure to create another connection for your local ip address)
Fixes:
Keep in mind this is for remote networks, if you are on your local lan, this won’t work without changing the ip address.
If using a router or modem, setup port forwarding to your remote computer for TCP ports 5900, 22, port1, port2, port3 (your port knocking ports). Also make sure to setup a static dhcp for the remote computer so your router/modem doesn’t change it’s ip address and you can’t connect.
If you are using an ISP that doesn’t give you a static ip address for your router, you will not be able to login whenever they change it, you’ll have to update the script first with the new IP. A solution is to setup a dynamic dns, using dyndns.org or something similar. Free options are out there, just google it.
I hope this helps, please post if you have any questions, comments, etc. Enjoy!
-Mike
On some roms, the busybox version of "nc" does not allow the -z command for knocking the proper ports. I've pulled the version of it from CM 7.2 and put in my /system/xbin and full functionality has been retained. I've included both "nc" and "ssh" here and they should work fine if you are missing them. (Tested on my EVO LTE running mostly stock Sense ICS, but this is fine for other android versions)
nc
ssh
Hope this helps!
-Mike
Hello,
Recently bought an android phone and I decided to register on XDA as it seems to be full of helpful members Thanks for this forum.
I have installed Droidwall on my phone running stock ICS. Droidwall does its job by allowing or denying application connection, so basically it allow an app to connect everywhere on the web or deny it. There are 2 modes : balck and white list. I am using white list meaning everything is reject exept the apps I have ticked (3g,wifi).
What I am trying to achieve is configuring Droidwall to allow application to connect only where I want to (specific IP or IP range). A simple example would be the inbuilt messaging application. It effectively needs to connect to internet for MMS but not the whole WEB, simply to my carrier. This will prevent data leakage from the application that ask abusives permissions for example.
The good thing is that Droidwall allow custom scripts so we can add rules to the iptables. Unfortunately I did not find any relevant example on XDA nor elsewhere.
I only found :
https://code.google.com/p/droidwall/wiki/CustomScripts
http://forum.xda-developers.com/showthread.php?t=1283162
I tried without luck :
Code:
$iptables -A droidwall -d xxx.xxx.xxx.xxx -m owner --uid-owner 10092 -j ACCEPT
or
$iptables -A "droidwall" -destination "xxx.xxx.xxx.xxx". -m owner --uid-owner 10092 -j ACCEPT
10092 is my application ID.
xxx.xxx.xxx.xxx the ip where I only want this application to connect to.
Any help would be greatly appreciated and could server for others
Thank you even for reading this entirely post.
I have ConnectBot configured to tunnel to a remote machine and the appropriate ports forwarded to access several services on that machine. As I understand it I further need a proxy layer to pass traffic to ConnectBot locally. I currently use proxydroid for this purpose. It worked the first time I configured it and I only recently found something about it I do not like and went in search of alternative proxy apps that might behave in the way I need.
The goal is to be able to write a Tasker sequence that connects the tunnel (completed this portion) and then activates the proxy. Unfortunately there is not automated way that I can determine to toggle proxydroid active/inactive. The interface, AFAICT, requires manual interaction in order to turn it on and off. proxydroid does have an option to automatically connect in the presence of certain networks but that it almost entirely useless to me, in fact, it would be better if it could connect when a particular network is NOT present.
Anyhow, in my search for alternative proxies I discovered a few apps that have some serious potential but hardly work:
Auto Proxy (not to be confused with AutoProxy): Is free, has amazing options for autoconnecting based on IP strings (which would be super and not involve Tasker at all) and has some of the more unique features. Unfortunately this proxy does not work in the least. I may be doing it wrong but it should be kept in mind that I can easily use proxydroid so the settigns are a known factor.
AutoProxy Lite: Is free, has fairly limited options and requires the paid version to autoconnect but even then autoconnection appears to be based on network presence which as I have mentioned is useless. This one I can get to work although I have to enter the necessary ports in the forwarding section which is really strange to me. The port forwarding should be happening at the tunnel not at the application layer but whatever if it works. The interface leaves much to desired, options are extremely limited and I just don't get the warm fuzzies about using the app. Using the free version will result in nag screens which will trip up any automated use.
Sandroproxy: Is free, appears to be fairly configurable and would be easy to automate with Tasker. Unfortunately this proxy doesn't work at all either. I appreciate the direct iptables output this one offers.
iptables, yes, now that we are talking about iptables I have some questions. I have a passing understanding of iptables/ipchains and can parse an iptables stack and can do some mediocre manual entry into one. However, regardless of which proxy I activate a listing with "iptables -L" always indicates a stock iptables stack. I've read that kernel level support must be enabled for iptables to work which would explain the failure of the 2 apps that don't work at all and the unchanging iptables list output. I'm using CleanKernel which is stock with some CPU frequency change allowance and some optimizations but nothing added outside stock. So, does a stock GS3 kernel support iptables/netfilter? Are the working apps using a method outside iptables? I suspect my iptables works fine but I'm missing something about how to get appropriate listing from it.
What the hell is keeping the other apps from working?
Any help is appreciated even if it input on passing startup info to proxydroid which "just works" 100% of the time.
Hi,
As far I can understand you have tunnel from android to machine and you want that some application use it.
So you probably want to redirect some android port to android tunnel port.
Something like this one:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
This will redirect all tcp that process (uid-owner) wants to make to destination port 80 to android port 8009.
You will see iptables NAT table with:
iptables -t nat -L
And you need proper version of iptables (iptables -V). 1.4 or higher should work with redirection.
You don't need SandroProxy to achive that.
iptables v1.4.11.1 check
netstat -tulnp | grep 8080 verifies ConnectBot listening on 8080 check
(why simply appending :8080 to the address IP doesn't hit CB without proxying it there was initially confusing but below i discuss the socks proxy)
(note, establishing proxydroid on any port that CB is forwarding will result in xxx.xxx.xxx.xxx:$port being forwarded through the tunnel so long as $port is in CB's config to forward since proxydroid is currently configured as a global proxy)
I tried a few variations of your supplied iptables append string with no positive results which is fitting with the below discussion about no socks proxy in place.
Armed with the knowledge that there is more than one table and I was simply listing the filtering table I fired up proxydroid and listed the NAT table and found all traffic redirected to port 8123. Netstat confirmed redsocks listening on port 8123. So, this leads me to believe that the missing element in simply redirecting traffic to port 8080 or any other tunneled port is a socks5 proxy.
I am currently chewing through this link: http://przemoc.net/tips/linux#making_socks_proxy_transparent with the intent of leveraging iptables and redsocks to perform the needed redirects manually possibly switched on and off with shell scripts executed by Tasker (although, if i can successfully configure to redirect based on destination ip/address then, for my putposes the only automation required is that which I have already achieved; establishing and shutting down the tunnel.
Any further insight you have to the above ends is greatly appreciated and I thank you for your input to date.
SandroBSupp said:
Hi,
As far I can understand you have tunnel from android to machine and you want that some application use it.
So you probably want to redirect some android port to android tunnel port.
Something like this one:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
This will redirect all tcp that process (uid-owner) wants to make to destination port 80 to android port 8009.
You will see iptables NAT table with:
iptables -t nat -L
And you need proper version of iptables (iptables -V). 1.4 or higher should work with redirection.
You don't need SandroProxy to achive that.
Click to expand...
Click to collapse
I will try with some simple Apache/ConnectBot/telnet configuration and let you know.
I tested and it works.
How I set up enviroment:
1. PC with apache running on port 80. Tested with telnet localhost 80 and GET<ENTER> that some response is shown.
2. android with connectbot port forwarding from android localhost 8100 to PC port 80. Tested with android telnet localhost 8100.
3. find out app id of browser on android with ps command and used same id in iptables rule
iptables -t nat -A OUTPUT -m owner --uid-owner app_4 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
4. checked iptables rules that shows redirection
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere owner UID match app_4 tcp dpt:www to:127.0.0.1:8100
5. Open browser with http://www.google.com url. It should show default page on my PC apache server instead of google first page.
Your environment seems optimal for making this work. And, maybe I need to reevaluate my remote end environment.
Currently the ssh daemon operates on a server machine that also includes a socks5 proxy for allowing unrestricted and encrypted access from any location. The service interfaces I wish to access remotely, however, reside on a separate machine on the same network. This means that the IPort has to pass unmolested through the tunnel. The socks5 proxy on the sshd machine is irrelevant to this process, it should be noted. However, as I understand it, the port being forwarded through the tunnel does have to be a dynamic port in order to appropriately reach the second PC. Dynamically forwarded ports are handled with a socks protocol in ConnectBot.
So my environment is as follows
192.168.1.101 serves sshd on port 22.
192.168.1.100 serves interfaces on ports 2100, 8080, 80801 and 8082.
From the android device (S3) I expect to enter the address 192.168.1.100:8080 into a browser and have the related service interface be accessed remotely. This is exactly what occurs with the appropriate ports forwarded from ConnectBot and using proxydroid as a global proxy or even as a proxy tied directly to the app similar to your iptables string that matches the owner application. It should be noted that since the port is dynamic it really only requires ConnectBot to have a single port forwarded and for the redirection to jump to that port regardless of the originating port (say, 8080 or 8081 or 2100) because the originating port passes the tunnel unmolested in this configuration.
It sounds like I could relocate the sshd to the PC hosting the service interfaces and alleviate this issue (maybe, possibly) of having to use dynamic ports and use a more traditional explicit local to remote port forwarding scheme. However, knowing that it can be achieved otherwise leads me to seek a solution that doesn't require reconfiguration of the remote PCs and all of the various machines I have configured to access this configuration remotely for other purposes.
I did try your iptables string exactly and also without the owner application matching making it a more global redirect if I parse it correctly. I also tried these configurations with ConnectBot configured with traditional instead of dynamic port forwards but neither way works.
I still believe that the proxydroid method is succeeding because it includes the socks5 proxy layer via redsocks. I believe but cannot prove that this is what enables the dynamic port forwarding to work through the tunnel. While the method you are outlining makes good theoretical sense it is failing in practice.
All that said, I decided to run a test wherein I redirected all traffic on port 80 to port 6543 and then configured connectbot to forward from port 6543 to port 8118 which should engage my remote socks5 proxy and use my remote internet connection. It appeared to work and to double check I disconnected ConnectBot yet somehow my android browser still had no issues accessing internet sites on the 4g connection. So, apparently iptables is being ignored entirely or I am completely missing the boat, here.
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Explain how that successfully fetches http requests despite having a service listening on 6543 to facilitate it.
Not sure if it was required to use that -m match switch to tie the iptables rule to an application so I tried:
ps | grep lan =
Application is 23094
therefore
iptables -t nat -A OUTPUT -m owner --uid-owner app_23094 -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere owner UID match app_23094 tcp dpt:www to 127.0.0.6543
Same result; not tunnel or service listening on 6543 but successful fetch of http requests.
SandroBSupp said:
I tested and it works.
How I set up enviroment:
1. PC with apache running on port 80. Tested with telnet localhost 80 and GET<ENTER> that some response is shown.
2. android with connectbot port forwarding from android localhost 8100 to PC port 80. Tested with android telnet localhost 8100.
3. find out app id of browser on android with ps command and used same id in iptables rule
iptables -t nat -A OUTPUT -m owner --uid-owner app_4 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009
4. checked iptables rules that shows redirection
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere owner UID match app_4 tcp dpt:www to:127.0.0.1:8100
5. Open browser with http://www.google.com url. It should show default page on my PC apache server instead of google first page.
Click to expand...
Click to collapse
Before I investigate further...
Is this a typo or iptables doesn't work okey?
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Yeah, that was a typo into the forum.
I have globally redirected all port 80 traffic to localhost port 6543 with no service listening on 6543 yet any browser will successfully fetch pages. It seems iptables is being ignored entirely although it should be noted proxydroid modifies iptables to a successful result.
SandroBSupp said:
Before I investigate further...
Is this a typo or iptables doesn't work okey?
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:6543
iptables -t nat -L =
OUPUT
DNAT tcp -- anywhere anywhere tcp dpt:www to 127.0.0.6543
Click to expand...
Click to collapse
Just for fun I installed DroidWall and blacklisted both browsers on my phone. Neither browser has any issues whatsoever retrieving webpages despite the blocks. I listed the iptables to verify there are indeed blocks in place. My iptables are being ignored entirely. Any input to this regard would be quite helpful. Obviously any attempts to manipulate packet redirection with iptables is meaningless if the tables are ignored.
Strangely, proxydroid is effective and it is making changes to iptables when enabled, so I have no idea WTF at this point.
Okay, I deleted all chains which seems to have cleared up the issue with all rules being ignored. If I am not mistaken my output chain was being directed to a chain called samsung_market_policy so, if I wasn't placing the rules within that chain (and I was not) they were being jumped before they could be read. I have no idea what breaks when you remove the samsung_market_policy chain but considering it was an empty chain I suppose nothing.
That said, I can now successfully redirect port 80 traffic to port 6543:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 6543
^^^If no service listens on 6543 the browser provides an error message as expected. With ConnectBot listening on 6543 and forwarding through the tunnel to remote port 8118 where I have a proxy server listening the pages fetch.Note a socks5 proxy is listening on the remote machine at port 8118 to manage the retrieval of the pages.
Sooooo, now I flush the above rules and enter:
iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 127.0.0.1:8080
^^^Should, in my understanding send all tcp traffic of any variety to localhost port 8080 where I have ConnectBot configured to forward dynamically to the remote machine.
Passing any address of any variety fails in this instance. There is a service listening on remote machine 192.168.1.100:8080. This address fails where it would not do so with a local socks5 layer. Google.com fails as well, which makes sense considering there is no proxy to perform the domain resolution but so does passing 74.125.137.138 which is Google.com's direct IP address.
I have further testing to do and will report back. If you have any input I am eager to hear it.
I will add that I am back on the same merry go round:
2 of the proxies do not work 2 of them do. The 2 that do will not connect without direct user interface on screen. At any rate, I remain convinced a local proxy layer is needed for my purposes.
The 2 proxies that do work are explicitly socks5 while the 2 that are not simply state they are socks.
Sorry that I am not very active lately. Quite busy so I can not make some proof of concept environments.
But now that you have working tunnel you can have proxy on PC side that will do all the work?
You just set in Settings->Wifi->Modify Network->Show advanced settings->Proxy->Manual->localhost 8080 on android.
And have some squid, apache proxy active on the other side of tunnel.
Yes, this works... for a wifi connections. However, I am rarely connected to wifi and when I am it is the network that the remote pcs are attached to so all of this becomes unnecessary.
For a 3G/4G connection I need to either:
A) Easily and automatically toggle a global proxy on and off (the main complaint with proxydroid is this missing feature)
or
B) Make a permanent redirect of destination IP 192.168.0.0/8 to the proxy without stripping the destination port information so that the transport carries that information.
A kludge solution I am currently using is to install FireFox mobile and then the Network Connections plugin which allows all FireFox traffic to be pointed to my ConnectBot tunnel. Then, in this way, to access my remote service I simply use FireFox Mobile and my other browsers for normal traffic.
This is a less than ideal solution, unfortunately, as I would like to be able to use any browser and also and more importantly other applications such as AndFTP, which fail unless a local socks5 layer is transporting the destination IP AND Port through the tunnel. That is, if AndFTP or a normally configured browser are pointed to the tunnel then the port information only serves the purpose of reaching the tunnel and is not transmitted to the remote end for connecting to remote services on their respective ports. There HAS to be a local transport layer that is moving the destination IP AND Port unmolested to and through the tunnel.
All that said, I suspect my earlier attempts at iptables redirection were successful at transmitting the packets TO the remote computer but additional rules must be configured to parse the incoming packets FROM the remote computer.
My next efforts will be directed at creating a shell script that sets up a redsocks proxy and an iptables redirection for the 192.168.0.0/8 range to that proxy. Which, is effectively recreating the efforts of people like yourself who wrote applications such as Sandroproxy, proxydroid and Auto Proxy. I will also be sending a request to proxydroid developers for an easier on/off toggle such as a checkbox instead of the current slider which cannot (as far as I know) be automated or, even better, to have that proxy auto-effect for a destination IP range.
SandroBSupp said:
Sorry that I am not very active lately. Quite busy so I can not make some proof of concept environments.
But now that you have working tunnel you can have proxy on PC side that will do all the work?
You just set in Settings->Wifi->Modify Network->Show advanced settings->Proxy->Manual->localhost 8080 on android.
And have some squid, apache proxy active on the other side of tunnel.
Click to expand...
Click to collapse
BACKGROUND:
The most basic tenet of network security is to run a tight firewall that blocks all incoming connections that the user did not initiate (some services do require new incoming packets to go through but that is a security issue and must be dealt with separately).
SECURITY ISSUE:
iOS provides a firewall pf ("packet filter") but it is turned off by default and is not configured. Major security issue. (I'm using iOS 12.5.4 on iPhone 6, not 100% sure about other devices and later iOS versions. Pretty sure it affects all devices and versions, though.)
SOLUTION:
It's not just a solution. It's a top priority requirement for all iOS device users to lock down their firewalls.
1) jailbreak your iPhone - this is the only way to access the pf firewall and secure your iPhone
2) install a terminal app
3) change root password
4) create a pf.conf file in ~. This is the pf firewall configuration file that will be used to filter packets. In this example, everything is blocked except basic internet access and connectivity on WiFi interface that is initiated by the device.
Code:
scrub in all
block in all #default behavior block everything
block out all
block quick proto tcp to 17.0.0.0/8 #Apple IPs used by analytics - a concern, kept connecting unsolicited
pass out on en0 inet proto udp from any to any port = 53 keep state #required for DNS
pass out on en0 inet proto tcp from any to any port { 80 443 } keep state #HTTP and HTTPS
pass quick on en0 inet proto udp from any port { 67 68 } to any port { 67 68 } keep state #WiFi DHCP
5) enable the firewall with the above configuration:
Code:
pfctl -F all -f ~/pf.conf -e
COMMENTS:
pf is also limited in comparison with a Linux analog iptables in that it cannot filter by process ID. This iOS shortcoming is awful and a security issue.
ADDITIONAL HARDENING:
As a next step you can close all unneeded serial ports/TTYs. For example , on iPhone 6 you will have cell signal with the ability to use cell services and use Wi-Fi if you:
chmod 000 /dev/tty
chmod 000 /dev/tty.*
chmod 000 /dev/uart.*
chmod 000 /dev/cu.* (except cu.debug is required for cell connectivity and cu.gas-gauge for battery stats, so must also chmod 006 /dev/cu.debug and chmod 006 /dev/cu.gas-gauge)
Then, restart CommCenter, bluetoothd, wifid.
You can unload com.apple.nfcd entirely because you will not be able to change permissions/close nfc's ports/TTYs.
Unload com.apple.BlueTool, it's Bluetooth and it's a hack vulnerability, until at least you can filter it.