FORUMS
Remove All Ads from XDA

 View Poll Results: Do you feel this module increases security?

YES, it does!
 
3 Vote(s)
27.27%
NO, it's crap!
 
2 Vote(s)
18.18%
It NEEDS IMPROVEMENT
 
3 Vote(s)
27.27%
I'm not sure.
 
3 Vote(s)
27.27%

[MODULE] [PSA] - Firewall for MAGISK v1.0.2

160 posts
Thanks Meter: 140
 
Post Reply Email Thread
Firewall Rules for MAGISK

About the Module:

This module is actually a simple script that executes a series of IPtables commands on boot in order to block inbound connections not directly related to outbound. There is no app or commands to execute in order for it to achieve it's results, so no impact to system performance. Just flash the ZIP, reboot and protection will be in place. Due to it's nature things require direct connections to the devices IP will break... With that exception, most users should notice little to no interference in their daily use. All core networking functionality should remain intact and if not I will modify accordingly. Advanced users may specify custom rules to allow incoming connections by editing the script included in the ZIP/Install location. Eventually I will provide some examples to allow commonly used services.

Current Release v1.0.2

TLDR;


When rooting devices with Magisk or other solutions I have noticed services & apps running services getting exposed to connected networks and or the internet. This can spell big trouble for your security and privacy. For instance running an app such as Share GPS from the play store which is typically safe on non-rooted phones will make your unencrypted GPS coordinates available on any network via simple command line tools. This is just one example of an app out of millions. With more and more mobile carriers such as T-Mobile and Sprint adopting IPv6 you can be assured that you're receiving a globally accessible non NAT'd IP address. All it would take is one shady app masqueraded as something you like, running a dynamic ip address updater script and an attacker with little know how to completely compromise your life. Trust me I have done the research here & proved every bit of this to be completely possible without being a certified security researcher.

Let's be honest here, the fact that you're holding a phone in your hand means that your life has already been compromised but at least we can mitigate some risk. Running a device with absolutely no firewall because you rooted shouldn't be one of those risk. There are apps out there that can be used as firewalls like AFWall+ but they don't typically act on lower level processes, just the apps. Instead we should implicitly deny all inbound traffic and only allow inbound related to your established connections, which is exactly what this module does. Future versions of the mod will allow advanced users to specify rules, however for most people that won't be needed for day to day activity.


Customizing Rules:


You may wish to customize rules to allow inbound connections to services or apps running on your device. Notice how each "custom" rule contains "-I" option which inserts to top of chain. In this way each new rule will end up on top of the previous. Be careful in how you write rules because they could completely override rules down lower in the chain. Best practice is to make the rule as specific as possible. In general shorter the rule, the more traffic will match and be ACCEPT or REJECTED. Hopefully the rules below can paint the picture. You should always test your rules first using a terminal emulator or ADB shell before saving them to be ran on startup.

The main script for this module is located at:
Code:
/sbin/.core/img/com.geofferey.fw/post-fs-data.sh
Allow ALL IN from ANYWHERE: (DON'T DO IT!!!!)
Code:
iptables -I INPUT -j ACCEPT
Allow IN ADB on ALL WiFi:
Code:
iptables -I INPUT -i wlan0 -p tcp --dport 5555 -j ACCEPT
Allow IN ADB only on WiFi Network X:
Code:
iptables -I INPUT -i wlan0  -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp --dport 5555 -j ACCEPT
(Assuming IP range 192.168.1.0-255)
Allow IN All WIFI on Network X:
Code:
iptables -I INPUT -i wlan0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
(Assuming IP range 192.168.1.0-255)


Recent Changes:


v1.0 - Initial Release
v1.0.1 - Added rules to support hotspot func. US T-Mobile users get native IPv6 global addresses. Switch to post-fs-data. Drop packets after rules are in place. Drop tcp and udp to hotspot and clients.
v1.0.2- Removed unnecessary rules not required for IPv6 hotspot tethering. Added anti spoofing for loopback. Drop all invalid packets. Allow dhcpv6 & ping as its essential.


Current Ruleset:

Code:
Log "[postfs.d] [Simple Firewall Rules for Magisk] - Applying IPv4 IPtables"

iptables -I INPUT -i wlan0 -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT

iptables -I INPUT -i wlan0 -p udp --dport 53 --sport 53 -j ACCEPT

iptables -I INPUT -i wlan0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

iptables -I INPUT -p icmp -j ACCEPT -m limit --limit 3/sec --limit-burst 10 -j ACCEPT

iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -I INPUT -i lo -j ACCEPT

iptables -I INPUT -s 127.0.0.0/8 ! -i lo -j REJECT

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

iptables -A INPUT -j REJECT

Log "[postfs.d] [Simple Firewall Rules for Magisk] - Applying IPv6 IPtables"

ip6tables -I INPUT -d ff02::/64 -j ACCEPT

ip6tables -I INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT

ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

ip6tables -I INPUT -i lo -j ACCEPT

ip6tables -I INPUT -s ::1/128 ! -i lo -j REJECT

ip6tables -I INPUT -p icmp -j ACCEPT -m limit --limit 3/sec --limit-burst 10 -j ACCEPT

ip6tables -I INPUT -p ipv6-icmp -m limit --limit 3/sec --limit-burst 10 -j ACCEPT

ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

ip6tables -A INPUT -j REJECT


Resources:



Attached below is the module. Let me know how it works and if there are any improvements needed. Any suggestions or comments will be taken into consideration. I don't mind users voting that my module is crap (I made the poll) just have the decency to explain to others why.
The Following 7 Users Say Thank You to Geofferey For This Useful Post: [ View ] Gift Geofferey Ad-Free
 
 
18th May 2019, 12:56 AM |#2  
PoochyX's Avatar
Senior Member
Thanks Meter: 296
 
More
Quote:
Originally Posted by Geofferey

Firewall for MAGISK

When rooting devices with Magisk or other solutions I have noticed that any services or apps running services get exposed to connected networks and or the internet. This can spell big trouble for your security and privacy. For instance running an app such as Share GPS from the play store which is typically safe on non-rooted phones will make your unencrypted GPS coordinates available on any network via simple command line tools. This is just one example of an app out of millions. With more and more mobile carriers such as T-Mobile and Sprint adopting IPv6 you can be assured that you're receiving a globally accessible non NAT'd IP address. All it would take is one shady app masqueraded as something you like, running a dynamic ip address updater script and an attacker with little know how to completely compromise your life. Trust me I have done the research here & proved every bit of this to be completely possible without being a certified security researcher.

Let's be honest here, the fact that you're holding a phone in your hand means that your life has already been compromised but at least we can mitigate some risk. Running a device with absolutely no firewall because you rooted shouldn't be one of those risk. There are apps out there that can be used as firewalls like AFWall+ but they don't typically act on lower level processes, just the apps. Instead we should implicitly deny all inbound traffic and only allow inbound related to your established connections, which is exactly what this module does. Future versions of the mod will allow advanced users to specify rules, however for most people that won't be needed for day to day activity.

Attached below is the module. Please let me know how it works and if there are any improvements I may provide. As users of highly connected devices I believe we should all take security a lil more seriously. Any suggestions or comments will be taken into consideration

Is it like the adguard firewall

I Willl Scarfice For Those That I Love
18th May 2019, 02:10 AM |#3  
OP Senior Member
Flag Long Beach, CA
Thanks Meter: 140
 
Donate to Me
More
@PoochyX No, it runs at a lower level applying a simple set of 'iptables' rules on boot with no user intervention required. There is no user interface for the mod at the moment. I'm not sure how the app you specified operates. I honestly believe most users should have this installed and it shouldn't affect day to day use unless you are trying to connect directly to something running on phone which most users don't typically do.

In actuality the app you mention might not be needed if you just want to limit inbound. As for outbound connections my policy allows all, which an app like that would be good for limiting if you wish to do so.

Think of my mod as a base set of rules that should already be in place.

For experts .... Let me know if there's something I should add

Code:
iptables -A INPUT -j DROP
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT

ip6tables -A INPUT -j DROP
ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -s fe80::/10  -j ACCEPT
ip6tables -I INPUT -d ff02::/10 -j ACCEPT
ip6tables -I INPUT -i lo -j ACCEPT
The Following 2 Users Say Thank You to Geofferey For This Useful Post: [ View ] Gift Geofferey Ad-Free
19th May 2019, 07:44 PM |#4  
Senior Member
Thanks Meter: 24
 
More
Does it change dns?
19th May 2019, 07:58 PM |#5  
PoochyX's Avatar
Senior Member
Thanks Meter: 296
 
More
Quote:
Originally Posted by jaggillararla

Does it change dns?

I haven't noticed any DNS changes in the way traffic is being routed

I Will Sacrifice For Those That I Love

---------- Post added at 08:58 PM ---------- Previous post was at 08:45 PM ----------

Quote:
Originally Posted by Geofferey

@PoochyX No, it runs at a lower level applying a simple set of 'iptables' rules on boot with no user intervention required. There is no user interface for the mod at the moment. I'm not sure how the app you specified operates. I honestly believe most users should have this installed and it shouldn't affect day to day use unless you are trying to connect directly to something running on phone which most users don't typically do.



In actuality the app you mention might not be needed if you just want to limit inbound. As for outbound connections my policy allows all, which an app like that would be good for limiting if you wish to do so.



Think of my mod as a base set of rules that should already be in place.



For experts .... Let me know if there's something I should add



Code:
iptables -A INPUT -j DROP

iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -I INPUT -i lo -j ACCEPT



ip6tables -A INPUT -j DROP

ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

ip6tables -I INPUT -s fe80::/10  -j ACCEPT

ip6tables -I INPUT -d ff02::/10 -j ACCEPT

ip6tables -I INPUT -i lo -j ACCEPT

Let's say I want to deny a certain app or process internet can this module do that or that's considered an outbound connection...

I Will Sacrifice For Those That I Love
20th May 2019, 08:42 AM |#6  
OP Senior Member
Flag Long Beach, CA
Thanks Meter: 140
 
Donate to Me
More
@PoochyX That would be a task more suited for an app like AFWall +. I think you could also use AFWall + to allow inbound connections that this module doesn't in case need arises. You're correct, if you wanted to limit an app from accessing the internet then you would block it's outgoing connections. This mod shouldn't be considered a replacement for apps like those.

Think of it like closing all the doors to your house so randoms can't walk in. Anyone can leave at anytime and relatives are welcome. I am not deadbolting the home so nothing can escape.
The Following User Says Thank You to Geofferey For This Useful Post: [ View ] Gift Geofferey Ad-Free
22nd May 2019, 01:29 PM |#7  
Senior Member
Flag Sydney
Thanks Meter: 346
 
More
@Geofferey

Worth pointing out this breaks hotspot...
25th May 2019, 02:14 PM |#8  
Junior Member
Thanks Meter: 1
 
More
@Geofferey AfWall+ also uses iptables and it allows us to specify custom iptables scripts, which serve the same purpose as your Magisk Module, but can be changed dynamically at runtime.

// EDIT AfWall+ has a setting for dis-/enabling incoming connections in their "experimental" section.
I did not check if it works though.
The Following User Says Thank You to Syquel For This Useful Post: [ View ] Gift Syquel Ad-Free
1st June 2019, 08:25 AM |#9  
OP Senior Member
Flag Long Beach, CA
Thanks Meter: 140
 
Donate to Me
More
Quote:
Originally Posted by 73sydney

@Geofferey

Worth pointing out this breaks hotspot...

Gotcha bro. v1.0.2 should fix hotspot and allow global IPv6 assignment to US users of T-Mobile. Thanks for pointing it out. I would've got to it sooner but IPv6 is very new to me. I got NAT'd IPv4 hotspot working right away but IPv6 was also something I had to look into.

Let me know if you guys experience any other issues with day to day usage of your phone in regards to internet connectivity with this module in place. For other users on different carriers who desire v6 functionality for tethered clients I will need the name of your carrier, country, and v6 prefixes.

If anyone with background in networking or net security has anything to add please do. I've done my best to make sure these rules are solid but I'm not an expert, especially on IPv6.
The Following 2 Users Say Thank You to Geofferey For This Useful Post: [ View ] Gift Geofferey Ad-Free
23rd June 2019, 09:53 AM |#10  
Senior Member
Thanks Meter: 68
 
More
GoPro Live preview
Quote:
Originally Posted by Geofferey

Gotcha bro. v1.0.2 should fix hotspot and allow global IPv6 assignment to US users of T-Mobile. Thanks for pointing it out. I would've got to it sooner but IPv6 is very new to me. I got NAT'd IPv4 hotspot working right away but IPv6 was also something I had to look into.

Let me know if you guys experience any other issues with day to day usage of your phone in regards to internet connectivity with this module in place. For other users on different carriers who desire v6 functionality for tethered clients I will need the name of your carrier, country, and v6 prefixes.

If anyone with background in networking or net security has anything to add please do. I've done my best to make sure these rules are solid but I'm not an expert, especially on IPv6.

version 1.0.2 fixed the Wifi HotSpot issue. But i found another problem.
I'm using the GoPro App to control the cam. With your module the camera live preview does not work. managing the camera setting works well, only live preview is broken.
any idea how to fix this?
26th June 2019, 08:52 PM |#11  
Senior Member
Flag Sydney
Thanks Meter: 346
 
More
@Geofferey


Sadly I have an issue when i tested the new build...

I use the terminal debloat module and load my launcher (Nova) via a module too...

When using your firewall module, these fail to load, and because I remove the stock launcher via debloat, this means your module makes my device unusable

This is due to the fact you're using post-fs-data, it's blocking by nature and can, as described, have REALLY bad side effects.

You should be using service.d (non blocking) to run your scripts. Later today I'll post you a modified module zip which uses service d.....I've recently modded a script I have from post-fs-data to service d, complete with uninstall script....
Post Reply Subscribe to Thread

Tags
firewall, iptables, magisk, module, security

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes