Accueil Explorer Aide
Connexion
maloe
/
ASN_IPFire_Script
Suivre 7
Voter 2
Fork 1
Fichiers Tickets 1 Wiki
Page: page3
Home
page2
page3
page4
page3
maloe a édité cette page il y a 2 ans

Wiki for ASN_IPFire Script

Content

  1. Usage
  2. Sources for ASNs and networks
  3. ASN IPFire Script and Android
  4. Tips & Tricks

3 ASN IPFire Script and Android

Creating the network lists directly on Android may be helpful for blocking networks on smartphones. Therefore a rooted device is necessary to handle Androids iptables firewall. The descriptions below make use of the two apps AFWall+ and Termux.

3.1 ASN IPFire Script and AFWall+

AFWall+ is an open source firewall application for Android which can be downloaded from F-Droid.

The network list, which is generated by the asn_ipfire.sh (afwall_rules.txt), can be included directly in AWFall+ as a custom script. But several tests and user reports showed up, that there is an issue with AFWall+, sometimes resulting in an error. There seems to be a time limitation in AFWall+ which leads to an abort if the custom file is too large, causing a timeout. Splitting the result file into severals smaller pieces is one possibility to by-pass this issue. It is described below in chapter "Tipps & Tricks". Another and maybe better solution is to include your costum rules into iptables shortly after AFWall+ has finished its own firewall entries. This procedure is described here:

1. Create a startup and a shutdown script for AFWall+

afwall_on.sh, containing:

/system/bin/sh /data/local/iptables_on.sh &

afwall_off.sh, containing:

/system/bin/sh /data/local/iptables_off.sh &

Note: The path /data/local/ is an example, other pathes may work, too. The Ampersands (&) at end of the command lines is mandatory for this concept and let the costum scripts run in background and let AFWall+ continue.

2. Include them into AFWall+ settings ("Set custom script")

. /data/local/afwall_on.sh

. /data/local/afwall_off.sh

Note: Don't forget the source "dot" and space at the beginning of the lines.

3. Define the startup and shutdown scripts for iptables

Above scripts targets to iptables_on.sh and iptables_off.sh. These files may now directly contain all your custom iptables rules. Or they can, as shown here, link to further files, like common rulesets and the network list output from the ASN IPFire Script.

iptables_on.sh:

#!/system/bin/sh
# wait for afwall to finish it's rules
sleep 6

# path to scripts
thisfolder=$(dirname $(readlink -f $0))

# source rules
. $thisfolder/iptables_on_rules.sh

# integrate asn_script rules
for network in `tac $thisfolder/afwall_rules.txt | cut -d" " -f5`; do
    /system/bin/iptables -I OUTPUT -d $network -j REJECT
done

Description: The sleep time of 6 seconds gives AFWall+ some time to finished it's own ruleset. Increase or decrease the time according to your system. If you don't have all scripts in the same folder where iptables_on.sh is located, you need to adjust the pathes. The custom iptables rule file iptables_on_rules.sh is sourced into the script (dot space) and finally the afwall_rules.txt (created by the ASN IPFire Script) is read in and placed in the beginning of iptables OUTPUT table. The command tac is used for cosmetic reason. It reverses the network list read-in and place it in ascending order inside iptables.

iptables_off.sh:

#!/system/bin/sh

# wait for afwall to finish it's rules
sleep 6

# path to scripts
thisfolder=$(dirname $(readlink -f $0))

# source rules
. $thisfolder/iptables_off_rules.sh

This script waits 6 seconds until AFWall+ has removed all it's rules. Adjust the sleep time according your system if necessary. If the scripts are not in the same folder (%thisfolder), adjust your pathes accordingly. The custom shutdown rules are finally sourced into the script.

4. Common iptables rules

Below iptables script is a simplified example. It's leaned against a custom script as decribed by Mike Kuketz in AFWall+: Wie ich persönlich die Android-Firewall nutze. Another custom script is available there on Kuketz-Blog AFWall+ unter Android Oreo: Custom-Script Vorlage.

WARNING: Use at your own risk!

Below example scripts are only intended to demonstrate the usage of nested custom scripts. In no way they are a recommendation for a safe firewall!

The nested scripts have been tested on LineageOS 14.1, LineageOS 16, Oreo 8.0.0 and Pie 9.0 together with a 380 lines afwall_rules.txt file.

iptables_on_rules.sh:

### iptables ###
IPT=/system/bin/iptables
IP6T=/system/bin/ip6tables

### Flush/Purge all rules ###
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F -t nat 
#...

### Defaults ###
# Deny IPv4 connections
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Deny IPv6 connections
$IP6T -P INPUT DROP
$IP6T -P FORWARD DROP
$IP6T -P OUTPUT DROP

### Special Rules ###
# Allow loopback interface lo
$IPT -A INPUT -i lo -j ACCEPT
$IPT -I "afwall" -o lo -j ACCEPT
#...

### NAT Rules ###
# DNS server, NTP server, etc
#...

### Incoming Traffic ###
# Allow all traffic from an established connection
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#...

### Proper reject all packets ###
$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPT -A INPUT -j REJECT --reject-with icmp-port-unreachable

### Outgoing Traffic ###
# http(s)
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
#...

### AFWall+ Rules ###
# Restore afwall output rule after flushing
$IPT -A OUTPUT -j afwall

Description: Flushing the custom rules is recommended to prevent a growing up of custom rules when "Apply" is executed in AFWall+ without prior disabling the firewall. Then the last line iptables -A OUTPUT -j afwall is necessary to be placed at the end of the script.

Hint: To be less strict you might prefer to allow OUTPUT traffic by default: $IPT -P OUTPUT ACCEPT instead of $IPT -P OUTPUT DROP

Tipp: Because the iptables rules are now defined after AFWall+ has done its settings, there will be no feedback from AFWall+ anymore, if the rules have been correctly set. Check it by your own via 'Show rules' inside of AFWall+ or better via a terminal as superuser: 'iptables -S'.

iptables_off_rules.sh:

### iptables ###
IPT=/system/bin/iptables
IP6T=/system/bin/ip6tables

### Flush/Purge all rules ###
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F -t nat 
#...

### Defaults ###
# Allow IPv4 connections
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# Deny IPv6 connections
$IP6T -P INPUT DROP
$IP6T -P FORWARD DROP
$IP6T -P OUTPUT DROP

Tipp: After disabling AFWall+, only the iptables policies should be left. Check it via 'Show rules' or 'iptables -S' again.

3.2 ASN IPFire Script and Termux

Termux is a terminal emulator under Android. It requires a rooted device and can be downloaded from F-Droid. Other terminal emulators may work as well, but don't have been tested. Running the script directly on Android eliminate the need to copy the network list from other computer to the smartphone. But the run-time of the script may be quite long, depending on the cpu, the network bandwidth and the number of companies you want to block.

After installing Termux, make sure you have the latest upgrades

pkg upgrade

Termux comes with busybox already installed, which provides most commands needed for the script (awk, sort). It also integrates a version of wget, but this one missing a parameter --quiet, which is required by the script. Therefore install the standalone wget

pkg install wget

If preferred you can also work with curl, but you have to set the downloadtool switch in the config file then. Download asn_ipfire.sh and asn_script.conf from notabug.org

wget -O asn_ipfire.sh "https://notabug.org/maloe/ASN_IPFire_Script/raw/master/asn_ipfire.sh"
wget -O asn_script.conf "https://notabug.org/maloe/ASN_IPFire_Script/raw/master/asn_script.conf"

Make the script executable

chmod 755 asn_ipfire.sh

and uncomment the following lines in the config file:

outputline="$afwall_path -A \"afwall\" -d %network% -j REJECT"
iprange_path="iprange/iprange_arm64"

Now run it with option --custom and your company list, to create the desired network list for AFWall+

./asn_ipfire.sh --afwall "COMPANYs"

The result list is saved as asn_result.lst. Copy it to your AFWall+ custom script folder

su
cp asn_result.lst /data/local/afwall_rules.txt
exit

and use it as described in above chapter.

To check correct integration and function of the rules you can type as root:

su 
iptables -S
ip6tables -S
exit

Note: Using the external tool iprange can speed up the network consolidation significantly. Therefore it is recommended to download iprange_arm64 as well and use option --iprange.

Supprimer la page

Cela supprimera la page "page3". Soyez-en sûr.

Non
Oui