Weird iptables issue with lollipop - One (M8) Q&A, Help & Troubleshooting

Update: This is resolvable by setting the firewall to blacklist mode and inverting the selection. While I prefer whitelist mode, this will work until I can find a better solution.
Note, when inverting, make sure that "All Applications" isn't checked. It isn't obvious, because it should also be left unchecked in whitelist mode, but this will block everything in blacklist mode.
First off, this is on the Dev Edition (Sense) Lollipop release. Phone is S-off/bootloader unlocked, but I doubt that matters. I am using AFWall+ to manipulate the firewall (iptables) configuration.
The problem is USB tethering. DNS requests aren't getting through to the tethered device no matter what I do if iptables is configured. I checked the logs and they showed that process -11 (kernel) was blocked from sending UDP (DNS) to the tethered IP address. However, I specifically enabled the kernel, -12 (tethering DHCP & DNS), and root apps for good measure. Nothing.
However, it is JUST DNS. If I use an onboard terminal to nslookup the name, I can use the IP address from the tethered machine just fine. It appears that TCP isn't being blocked, just UDP. Further, local apps have no problem access the network in any way - it's just the USB tethered PC that is having trouble. I have not tried WiFi tethering yet.
I have tried my usual app, DroidWall, and now AFWall+, but neither can get it done. Something seems to have changed in Lollipop, because this used to work in KitKat.
Any ideas?

Related

VPN issues on Rooted EVO.. help!

I'm not certain if this is a kernel, ROM or software issue. I am running Fresh ROM 1.0.1 with the Netarchy 3.7.5 kernel, I have enabled the JIT compiler, and I have purchased the Xtralogic Remote Desktop Client version 1.14.0 and also use ES File Explorer for FTP/Samba.
I am able to authenticate and connect to our corporate VPN server. Once connected, I AM able to ping both from within the network to my device, and from adb-shell on my device to devices on the network. DNS resolution is working as expected over the VPN; search domains are setup properly.
However, upon establishing a connection (UDP or TCP) to any device on the remote network, my VPN connection dies (server side -- the android client still reads as connected). No bytes are received from the client anymore (per the corporate vpn software). I've tried this with RDP (UDP), SMB (UDP) and FTP (TCP). All three had the same result; upon initiating the socket, the VPN connection comes to a halt.
I know this worked when I was stock rooted.. and have only tried it again recently for a business trip in which RDP access to some remote servers would be a great big help. My changes are listed above: Fresh Rom 1.0.1, Netarchy 3.7.5 kernel, JIT enabled.
LogCat provides plenty of output for the VPN connection, but there is NOTHING logged when the "disconnect" occurs.
Any ideas?!
I received a response from the software vendor:
I received other reports about problem with VPN on Android. Unfortunately I don't have any solution to this problem. It is not RDP client specific, it looks like it is triggered by certain amount of network traffic. You will get the same result if you try to browse Internet on the phone when connect over VPN.
Click to expand...
Click to collapse
So, I ask if anyone can confirm or deny from their own device?

Can't run some network services on my G3

I'm trying to run some network services (servers listening for incoming connections) on my LG G3 phone. Its rooted, though all the services that I want to run do not require root to function (they use unpriviliged ports).
Some network services work, while others do not. For example, Ice Cold Apps SSH server does not work, while droid VNC server does.
From what I'm able to see, services that bind to "0.0.0.0" as the listen IP address work fine and are accessible from everywhere (NAT not withstanding), while services that bind to ":::" (IPv6) are only available from the phone itself (I test using ConnectBot's "telnet" mode). Such a service will respond to the phone's IPv4 address - when called from a local app - but will not respond to incoming connections from other devices on the network.
I don't have an IPv6 network that I can access, so I'm not sure if the problem is only for IPv4 devices or for all access.
I didn't have this problem with my previous phone - a Galaxy S2 running TouchWiz 4.1.2 or Cyanogenmod 11.
From looking at the output of iptables, I see there are many firewall rules, but I didn't see anything that should actually block content. I can paste the output of iptables if you guys want to take a look.
Any help will be much appreciated.
guss77 said:
I'm trying to run some network services (servers listening for incoming connections) on my LG G3 phone. Its rooted, though all the services that I want to run do not require root to function (they use unpriviliged ports).
Some network services work, while others do not. For example, Ice Cold Apps SSH server does not work, while droid VNC server does.
From what I'm able to see, services that bind to "0.0.0.0" as the listen IP address work fine and are accessible from everywhere (NAT not withstanding), while services that bind to ":::" (IPv6) are only available from the phone itself (I test using ConnectBot's "telnet" mode). Such a service will respond to the phone's IPv4 address - when called from a local app - but will not respond to incoming connections from other devices on the network.
I don't have an IPv6 network that I can access, so I'm not sure if the problem is only for IPv4 devices or for all access.
I didn't have this problem with my previous phone - a Galaxy S2 running TouchWiz 4.1.2 or Cyanogenmod 11.
From looking at the output of iptables, I see there are many firewall rules, but I didn't see anything that should actually block content. I can paste the output of iptables if you guys want to take a look.
Any help will be much appreciated.
Click to expand...
Click to collapse
Which G3 do you have? I have a T-Mobile version and have noticed that the phones do not have IPV4 support on mobile networks, they instead do 6to4 to get IPV4 for apps. This does not happen on WiFi though. I'm trying to figure out if the G3 defaults to IPV6 only and even WiFi IPV4 services might be secondary to IPV6, so any app on the phone that is IPV6 ready will bind to the IPV6 interface and not listen on IPV4 for incoming connections.
You could try disabling IPV6 globally to see if this solves your problem. Not sure how to do it though.
I have the international G3 (LG-D855). I don't think my mobile network is using IPv6 (not that advanced - the IPv6 for rmnet0 is a zeroconf address).
Also, the situation is only interesting on WiFi, and I don't have an IPv6 wifi - so all traffic coming in should be IPv4 by definition.

[Q] Hide Hotspot Traffic via VPN

I want to prevent my carrier from knowing that I am using CM11's native Hotspot or Tethering features. I know that they can look at the TTL of packets or analyze the traffic (Windows Update, Steam) to detect this. I have a subscription to a VPN service, Private Internet Access, which has an app on Android. If I enable the VPN mode of this app, will all the Hotspot traffic be routed through it, completely invisible to the carrier?
Searching showed me some conflicting answers on this, with some people saying to run it on the tethered device, and others saying to run it on the phone. I am thinking running VPN on phone, as the packets should appear to originate from the phone, rather than something 1 hop behind it.
kcattakcaz said:
I want to prevent my carrier from knowing that I am using CM11's native Hotspot or Tethering features. I know that they can look at the TTL of packets or analyze the traffic (Windows Update, Steam) to detect this. I have a subscription to a VPN service, Private Internet Access, which has an app on Android. If I enable the VPN mode of this app, will all the Hotspot traffic be routed through it, completely invisible to the carrier?
Searching showed me some conflicting answers on this, with some people saying to run it on the tethered device, and others saying to run it on the phone. I am thinking running VPN on phone, as the packets should appear to originate from the phone, rather than something 1 hop behind it.
Click to expand...
Click to collapse
To the best of my knowledge, they could easily know that you are connecting to the VPN tunnel as it utilizes a certain ports. However if it's correctly set up and utilize a secure protocol, all your traffic will get through the VPN and your ISP won't be able to decipher your online activities and your connection type or make sense of your internet traffic.
In other words, you may be using the VPN to connect to websites A, B, and C and send all sorts of interesting information to those websites; or send email; or whatever. Your ISP can see none of that. All they can see is encrypted data that they can't decrypt. So they know you're using a VPN, but they don't know what you're using it for.
Hope it could help.

Android 9 and tethering default gateway

Hi everyone,
I noticed that since Android Pie, the default gateway for tethering (which is the phone's IP) changes every time I enable the feature.
On Oreo it was always 192.168.43.1
In most cases this shouldn't be a problem, as the connected devices gets automaticaly the default gateway.
But if for some reason you need to set up a device with static IP, you have to manually change the default gateway every time it connects to the phone (otherwise the device may not have access to the internet)
So, does anyone know a way to freeze this address ? (without root...)
Mellow971 said:
Hi everyone,
I noticed that since Android Pie, the default gateway for tethering (which is the phone's IP) changes every time I enable the feature.
On Oreo it was always 192.168.43.1
In most cases this shouldn't be a problem, as the connected devices gets automaticaly the default gateway.
But if for some reason you need to set up a device with static IP, you have to manually change the default gateway every time it connects to the phone (otherwise the device may not have access to the internet)
So, does anyone know a way to freeze this address ? (without root...)
Click to expand...
Click to collapse
Its ip/mac spoofing, on by default. Dont worry, its more secure this way, wont effect performance
boe323 said:
Its ip/mac spoofing, on by default. Dont worry, its more secure this way, wont effect performance
Click to expand...
Click to collapse
Thanks for your reply, I understand that it's more secure and I don't worry about performances.
But I would like to set one device with static IP and gateway, so that I can switch to another network without having to reconfigure.
So is there a way to disable this ? That is the question...
@Mellow971
Try what's suggested here:
https://android.stackexchange.com/q...nently-change-my-hotspot-tethering-ip-address
The latest Android developments, starting with 8 (Oreo) are rather sad and obstructive (lately you can't even find the DHCP allocated IP address in the WiFi connection details section ), apparently a result of younger developers showing off with stupid features, not really understanding how the underlying communication & protocols are really functioning.
What @boe323 was explaining is utterly false, because there is no way you could implement a proper ip/mac spoofing protection.
- if the WiFi network is open, it's really easy for a malevolent actor to identify the GW and MAC address and clone it, it only requires a DHCP bcast/query packet.
- in a protected WiFi network (WPA/WPA2), the malevolent actor has no way to perform an ip/mac spoofing if it doesn't successfully authenticate in the protected network.
- the actor can perform a MiM attack and spoof the protected WiFi network ESSID, but for that any DHCP ip/mac spoofing protection is again useless.
I'm also having an issue with this useless IP/MAC spoofing protection implemented in the latest Android, because I have a router configured to connect through a secondary WiFi card to my phone as an Internet fail-over scenario (in case my main Internet connection fails). I configured it with static addresses - both host and GW (192.168.43.1), and doing SNAT. I had to change it to DHCP and using MASQUERADING, just a dumb overcomplication caused by some young developers that have no clue what they're doing.
helloyello said:
@Mellow971
Try what's suggested here:
https://android.stackexchange.com/q...nently-change-my-hotspot-tethering-ip-address
Click to expand...
Click to collapse
Sadly I don't have root access
But I managed to live with that (and many other stupid features...)

I need to configure my eth0 in a minimal network without DNS or DHCP - how?

What does it take to configure an ethernet eth0 device on my S9 (Andorid 10)? Under what conditions does it recognize a network interface to be connected and worthy to configure permanently? Does it test for certain internet hosts? Does it test if DNS requests being answered?
I have an usb ethernet adapter which is recognized by my S9. Now I want to give the ethernet interface a static IP address in order to be able to receive UDP packages from an other ethernet device. These two devices are the only ones on the network. I will use it out in the wild where there is no full featured network or other infrastructure, and the devices would just communicate using their hard coded IP addresses.
However the S9 refuses to accept my manual configuration and does not bring the interface up (after a brief (2s?) periode of trying). In the past, with lineageOS and an S5 i was able to install a special file in the system partition preconfiguring the device. i didnt root the S9, so this option is not available.
What are the prerequisits for android to accept the ethernet configuration and setting the interface to UP? How can I fake those prerequisits to be able to configure my eth0 and receive packages on my IP address?
Update: switching the phone into airplane mode seemed to have made it "try harder" to bring eth0 up. however, it was not up continously but went down for a second every now and then. I am still looking for a robust solution.

Categories

Resources