Android iptables Summary

Thanks to a friend here, his blog: http://fonter.iteye.com/blog/search? Query = iptables

For more information about common iptables commands, see my friend's blog.

In Android, iptables is generally used for proxy and app firewall functions.

There are several open-source projects. We recommend you go to googlecode to find them:

Droidwall: app network firewall;

Proxydroid: proxy app, supporting multiple network protocols;

Gaeproxy: proxy app, which has its own Python server. It looks like it can be turned over.

All the above software requires the root permission.

How to Implement the app Network Firewall:

Use the iptables command to set the filter table. For the output chain, the source is WIFI or 2g/3G for reject or drop operations.

The reject blocks the packet and sends the packet to notify the other party.

Drop discarded packets are not processed. After this operation, the filter program is directly interrupted instead of comparing other rules.

The effects of reject and drop can make the app unable to connect to the Internet, so you can choose to use either of them.

How do I distinguish between Wi-Fi or 2g/3G?

We need to use the-O parameter to distinguish whether the packet source is WIFI or GPRS,

Parameter-o, -- Out-Interface

Example iptables-a forward-O eth0

Specifies the network card from which the packet is sent.

Among them, there are three types of wifi (refer to droidwall API. Java): tiwlan +, WLAN +, Eth +

There are six types of GPRS: rmnet +, PDP +, PPP +, uwbr +, WiMAX +, vsnet +"

The following question remains: how can we differentiate the app from which the packets come from?

Because iptables is on the layer-3 layer under the layer-7 protocol, applications cannot be differentiated.

Here we need to use the extended mode-m to operate the owner table

Example: iptables-A output-M owner -- UID-owner 500

Note: It is used to compare the packets from the local machine and whether the packets are generated by a specific user. This prevents the server from transmitting sensitive data using root or other identities, it can reduce the loss of the system. Unfortunately, this function cannot compare the packets from other hosts.

The following is a complete example:

Iptables-T filter-A output-o wlan +-M owner -- UID-owner 10042-J Drop

Note: The output chain of the Operation filter (-T filter can be omitted, and the default operation filter table). The packet source is WLAN + and the UID is 10042. The packet is discarded.

If no chain/target/match by that name is displayed during execution, it may be that your RoM does not support this operation.

Iptables requires version 1.4 +

The kernel supports iptables operations, so not all root Rom operations are supported.

Let's talk about the app firewall today, and then talk about proxy (in advance, the proxy operates the NAT table ).

Code can refer to droidwall,: http://download.csdn.net/detail/luck_apple/4549925

From: http://blog.csdn.net/luck_apple/article/details/7929751