Hello my friends!
*** You should have ROOT access ***
*** This steps is not contains details so is not for newbies ***
1- Install AFWall (https://github.com/ukanth/afwall)
2- Install dnscrypt-proxy for Android (https://github.com/adit/dnscrypt-proxy)
3- Install NTP & GPS Clock [ROOT] (https://play.google.com/store/apps/details?id=jp.xrea.poca.clocksync&hl=en&gl=US)
4- Run AfWall and:
write thiscustom script:
HTML:
iptables -t nat -A OUTPUT -p tcp ! -d 8.8.8.8 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 8.8.8.8 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p tcp ! -d 8.8.8.8 --dport 853 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 8.8.8.8 --dport 853 -j DNAT --to-destination 127.0.0.1:5354
and this shutdown script
HTML:
iptables -t nat -D OUTPUT -p tcp ! -d 8.8.8.8 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -D OUTPUT -p udp ! -d 8.8.8.8 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -D OUTPUT -p tcp ! -d 8.8.8.8 --dport 853 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -D OUTPUT -p udp ! -d 8.8.8.8 --dport 853 -j DNAT --to-destination 127.0.0.1:5354
5- Run AFWall and make sure all apps has access to Internet and start Firewall.
6- Turn Off Automatic Date&Time from settings.
7- Run "NTP & GPS Clock" app Sync device Date&Time. (try ntp-server: 132.163.97.5 or 132.163.96.5 or 129.6.15.32)
HTML:
#dcp stop
#dcp disable
#dcp start
8- Done! all DNS request redirect to dnscrypt-proxy (Magisk-Module)
Note: You can play around more with AfWall and dnscrypt to gain much more security.
Related
Hello all,
Upon porting sense 4 I needed to mount a certain partition via a command that needed the exact dev block, so I decided to find out using adb and post my results here for other devs to see:
Filesystem........................Size......Used........Available......Use%........Mounted on
tmpfs...........................209.0M......48.0K.........209.0M...........0%................/dev
/dev/block/mmcblk0p1....861.1M....739.5M.........121.6M.........86%............/sdcard <-- May vary
/dev/block/mtdblock4.......35.0M.......1.3M...........33.7M...........4%............./cache
/dev/block/mmcblk0p2..1003.6M....330.8M..........672.8M.........33%............/sd-ext <-- May vary
/dev/block/mtdblock3.....269.4M....165.0M..........104.4M.........61%.........../system
/dev/block/mtdblock5.....150.0M.......1.5M..........148.5M...........1%............../data
I hope somebody finds this helpful. I was going to post this is general, but since it is not a question and is directed for developers like myself (and this is where I would look for this info TBH) I posted it here.
Okay guys, have fun
Here is a list of commands you can use in recovery/installation scripts.
[ flash_lock mesg setserial
[[ flash_unlock mkdir setsid
adbd flashcp mkdosfs sh
adjtimex flock mke2fs sha1sum
arp fold mkfifo sha256sum
ash free mkfs.ext2 sha512sum
awk freeramdisk mkfs.vfat sleep
base64 fs mknod sort
basename fsync mkswap split
bbconfig ftpget mktemp stat
bbinstall.sh ftpput modinfo strings
blkid fuser modprobe stty
blockdev getopt more sum
brctl grep mount swapoff
bunzip2 groups mountpoint swapon
busybox gunzip mpstat sync
bzcat gzip mv sysctl
bzip2 halt nanddump tac
cal head nandwrite tail
cat hexdump nbd-client tar
catv htcbatt nc taskset
chattr htcdumlock netstat teamwin
chgrp id nice tee
chmod ifconfig nohup telnet
choice_fn insmod nslookup telnetd
chown install ntpd test
chroot iostat od tftp
clear ip offmode_charging tftpd
cmp kill parted time
comm killall patch timeout
cp killall5 pgrep top
cpio less pidof touch
crond libbmlutils.so pigz tr
crontab libc.so ping traceroute
cut libcutils.so pipe_progress true
date libdl.so pkill ttysize
dc libext2_blkid.so pmap tune2fs
dd libext2_com_err.so power_test ueventd
depmod libext2_e2p.so poweroff umount
detect_key libext2_profile.so printenv uname
devmem libext2_uuid.so printf uncompress
df libext2fs.so ps unexpand
diff libflashutils.so pstree uniq
dirname liblog.so pwd unix2dos
dmesg libm.so pwdx unlzma
dnsd libmmcutils.so rdev unlzop
dos2unix libstdc++.so readlink unpigz
du libstlport.so realpath unxz
dump_image libz.so reboot unzip
e2fsck linker recovery uptime
echo ln renice usleep
ed losetup reset uudecode
egrep ls resize uuencode
env lsattr rev vi
erase_image lsmod rm watch
expand lsof rmdir wc
expr lsusb rmmod wget
false lzcat route which
fbsplash lzma run-parts whoami
fdisk lzop rx xargs
fgrep lzopcat sdparted xz
find man sed xzcat
fix_permissions.sh md5check.sh seq yes
flash_image md5sum setconsole zcat
First, let me apologize if solutions to this problem have already been posted on this forum and elsewhere. I developed this solution completely independently, and I am sharing it here in hopes that it may prove useful to someone else.
This pair of scripts will allow you to share your phone's Internet connection with a computer via a USB cable. It definitely works when the computer is running Linux (assuming you have RNDIS support in your kernel), and it should work as well when the computer is running Windows. However, it will not work with Mac, as OS X does not have an RNDIS driver.
First, upload these two scripts to your /sdcard:
/sdcard/usb_tether_start.sh:
Code:
#!/system/bin/sh
prevconfig=$(getprop sys.usb.config)
if [ "${prevconfig}" != "${prevconfig#rndis}" ] ; then
echo 'Is tethering already active?' >&2
exit 1
fi
echo "${prevconfig}" > /cache/usb_tether_prevconfig
setprop sys.usb.config 'rndis,adb'
until [ "$(getprop sys.usb.state)" = 'rndis,adb' ] ; do sleep 1 ; done
ip rule add from all lookup main
ip addr flush dev rndis0
ip addr add 192.168.2.1/24 dev rndis0
ip link set rndis0 up
iptables -t nat -I POSTROUTING 1 -o rmnet0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
dnsmasq --pid-file=/cache/usb_tether_dnsmasq.pid --interface=rndis0 --bind-interfaces --bogus-priv --filterwin2k --no-resolv --domain-needed --server=8.8.8.8 --server=8.8.4.4 --cache-size=1000 --dhcp-range=192.168.2.2,192.168.2.254,255.255.255.0,192.168.2.255 --dhcp-lease-max=253 --dhcp-authoritative --dhcp-leasefile=/cache/usb_tether_dnsmasq.leases < /dev/null
/sdcard/usb_tether_stop.sh:
Code:
#!/system/bin/sh
if [ ! -f /cache/usb_tether_prevconfig ] ; then
echo '/cache/usb_tether_prevconfig not found. Is tethering really active?' >&2
exit 1
fi
if [ -f /cache/usb_tether_dnsmasq.pid ] ; then
kill "$(cat /cache/usb_tether_dnsmasq.pid)"
rm /cache/usb_tether_dnsmasq.pid
fi
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -D POSTROUTING 1
ip link set rndis0 down
ip addr flush dev rndis0
ip rule del from all lookup main
setprop sys.usb.config "$(cat /cache/usb_tether_prevconfig)"
rm /cache/usb_tether_prevconfig
while [ "$(getprop sys.usb.state)" = 'rndis,adb' ] ; do sleep 1 ; done
To start USB tethering:
Code:
adb shell "su -c 'sh /sdcard/usb_tether_start.sh'"
Grant the superuser request on the phone if one appears.
If you're on Linux, you'll see a new network interface appear (probably called "usb0"). Bring the link up on that interface (ip link set usb0 up), run a DHCP client, and you're all set!
If you're on Windows, it will probably Just Work™.
To stop USB tethering:
Code:
adb shell "su -c 'sh /sdcard/usb_tether_stop.sh'"
Again, grant the superuser request on the phone if one appears.
That's it!
OMG !!!!
You rock ! This solution is the FIRST one which works on my international i9300 device (not a 'Sprint' version) with cm10.1.
I can't understand why ... but i'll keep your script on my ext SDCard.
I'll prupose this script to french cm10.1 users.
Thank you!
OS X does not have an RNDIS driver? really?
...OS X does not have an RNDIS driver...
Click to expand...
Click to collapse
Please have a look at HoRNDIS: USB tethering driver for Mac OSX (it even supports modern/recent OSX versions!) @ hxxp://joshuawise.com/horndis (unable to embed inline URL link due to new user restriction)
whitslack said:
First, let me apologize if solutions to this problem have already been posted on this forum and elsewhere. I developed this solution completely independently, and I am sharing it here in hopes that it may prove useful to someone else.
This pair of scripts will allow you to share your phone's Internet connection with a computer via a USB cable. It definitely works when the computer is running Linux (assuming you have RNDIS support in your kernel), and it should work as well when the computer is running Windows. However, it will not work with Mac, as OS X does not have an RNDIS driver.
First, upload these two scripts to your /sdcard:
/sdcard/usb_tether_start.sh:
Code:
#!/system/bin/sh
prevconfig=$(getprop sys.usb.config)
if [ "${prevconfig}" != "${prevconfig#rndis}" ] ; then
echo 'Is tethering already active?' >&2
exit 1
fi
echo "${prevconfig}" > /cache/usb_tether_prevconfig
setprop sys.usb.config 'rndis,adb'
until [ "$(getprop sys.usb.state)" = 'rndis,adb' ] ; do sleep 1 ; done
ip rule add from all lookup main
ip addr flush dev rndis0
ip addr add 192.168.2.1/24 dev rndis0
ip link set rndis0 up
iptables -t nat -I POSTROUTING 1 -o rmnet0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
dnsmasq --pid-file=/cache/usb_tether_dnsmasq.pid --interface=rndis0 --bind-interfaces --bogus-priv --filterwin2k --no-resolv --domain-needed --server=8.8.8.8 --server=8.8.4.4 --cache-size=1000 --dhcp-range=192.168.2.2,192.168.2.254,255.255.255.0,192.168.2.255 --dhcp-lease-max=253 --dhcp-authoritative --dhcp-leasefile=/cache/usb_tether_dnsmasq.leases < /dev/null
/sdcard/usb_tether_stop.sh:
Code:
#!/system/bin/sh
if [ ! -f /cache/usb_tether_prevconfig ] ; then
echo '/cache/usb_tether_prevconfig not found. Is tethering really active?' >&2
exit 1
fi
if [ -f /cache/usb_tether_dnsmasq.pid ] ; then
kill "$(cat /cache/usb_tether_dnsmasq.pid)"
rm /cache/usb_tether_dnsmasq.pid
fi
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -D POSTROUTING 1
ip link set rndis0 down
ip addr flush dev rndis0
ip rule del from all lookup main
setprop sys.usb.config "$(cat /cache/usb_tether_prevconfig)"
rm /cache/usb_tether_prevconfig
while [ "$(getprop sys.usb.state)" = 'rndis,adb' ] ; do sleep 1 ; done
To start USB tethering:
Code:
adb shell "su -c 'sh /sdcard/usb_tether_start.sh'"
Grant the superuser request on the phone if one appears.
If you're on Linux, you'll see a new network interface appear (probably called "usb0"). Bring the link up on that interface (ip link set usb0 up), run a DHCP client, and you're all set!
If you're on Windows, it will probably Just Work™.
To stop USB tethering:
Code:
adb shell "su -c 'sh /sdcard/usb_tether_stop.sh'"
Again, grant the superuser request on the phone if one appears.
That's it!
Click to expand...
Click to collapse
what is the difference between this and native tethering?
for rooted stock roms
http://forum.xda-developers.com/showthread.php?t=2224083
this is the by far the easiest..
I saw this code and it mentions that it fixes 4G Wimax tethering but I'm not sure if it will work on the Epic 4G Touch 4.2.2 AOSP ROMs
iptables -A bw_FORWARD -i !lo+
iptables -A natctrl_FORWARD -j RETURN -i rmnet+ -o wlan0 -m state --state RELATED,ESTABLISHED
iptables -A natctrl_FORWARD -j DROP -i wlan0 -o rmnet+ -m state --state INVALID
iptables -A natctrl_FORWARD -j RETURN -i wlan0 -o rmnet+
iptables -A natctrl_FORWARD -j DROP
iptables -A natctrl_nat_POSTROUTING -t nat -o rmnet+ -j MASQUERADE
I saw the code here https://jira.cyanogenmod.org/browse/CYAN-544
Wondering if it's possible to make a flashable zip to fix our 4G Wimax Wifi Tethering Woes on 4.2.2 ROMs?
Hi, i have a SM-T211 (Tab3 7.0 3G) and I cant set any working firewall for 2G/3G. All these firewalls (Avast, Droidwall, Android Firewall) work perfectly with WLAN/Wifi but dont react on 3G/2G. All Rules in Iptables (and Ip6tables) are inserted correctly, but they seem not to work....
Has anyone a working firewall set (for 3G) with this Tablet? Could anyone with this tablet test if he has the same behaviour? Many thanks!
Interesting. I had been using Droidwall and was under the impression it was working. But I just unchecked Dolphin, and it turns out it isn't working.
I am also interested in this one. I would love to block Google Services Framework from detecting my internet connection.
I haven't tested on wi-fi.
thref23 said:
Interesting. I had been using Droidwall and was under the impression it was working. But I just unchecked Dolphin, and it turns out it isn't working.
I am also interested in this one. I would love to block Google Services Framework from detecting my internet connection.
I haven't tested on wi-fi.
Click to expand...
Click to collapse
I found out, that the interface-name of the common scripts does not match. So these Apps insert lines in "iptables" and "ip6tables", but they insert Lines with targets depending on interface-name. Seems our Interface-name (for 3G) is different, so no matching rule for 3G found. Same with Wifi works correctly.
So we have to find out Interface-name for 3g for iptables, after that our firewalls would be working...
OK found it, the interface-name is "ccinet0". This interface isnt used in scripts from Android Firewall or Avast or others.
Two Options so far:
1. You have to modify their scripts and add (u should find the right position for inserting) the following lines (xxx stands for your name of firewall):
iptables -A xxxwall -o ccinet+ -j xxxwall-3g
ip6tables -A xxxwall -o ccinet+ -j xxxwall-3g
2. You use an Script like the following (at the moment manually, may be automatic by a script-system):
#!/system/bin/sh
# Avast Rules extended
iptables -N cvtwall
iptables -D OUTPUT -j cvtwall
iptables -A OUTPUT -j cvtwall
iptables -N avastwall-3g
ip6tables -N cvtwall
ip6tables -D OUTPUT -j cvtwall
ip6tables -A OUTPUT -j cvtwall
ip6tables -N avastwall-3g
iptables -A cvtwall -o ccinet+ -j avastwall-3g
ip6tables -A cvtwall -o ccinet+ -j avastwall-3g
You will have to modify the names in Bold to your specific Firewall-Names...
You can also use it as init.d script, if u have a kernel with init.d Support...
hello,
I have installed CM 12.1-20151109-NIGHTLY-nicki, enabled root but can't change ttl value. Is netfilter module missing in kernel?
[email protected]:/ # grep ^ro.cm.version /system/build.prop
ro.cm.version=12.1-20151109-NIGHTLY-nicki
error example:
[email protected]:/ # iptables -t mangle -I POSTROUTING -j TTL --ttl-set 65
iptables: No chain/target/match by that name.
how to add/install the module to the android system to be able modify TTL values?
[email protected]:/ # iptables -t mangle --list|grep -i ttl
1|[email protected]:/ #
It seems to be not avaialble in the CM12.1
when I checked it on my asus zeonfon2 runing on stock Android 5.0, the module is there and I can modify TTLs.
[email protected]:/ # iptables -t mangle --list|grep -i ttl
TTL all -- anywhere anywhere TTL set to 65
TTL all -- anywhere anywhere TTL set to 65
TTL all -- anywhere anywhere TTL set to 65