About the Module:
This module is actually a simple script that executes a series of IPtables commands on boot in order to block inbound connections not directly related to outbound. There is no app or commands to execute in order for it to achieve it's results, so no impact to system performance. Just flash the ZIP, reboot and protection will be in place. Due to it's nature things require direct connections to the devices IP will break... With that exception, most users should notice little to no interference in their daily use. All core networking functionality should remain intact and if not I will modify accordingly. Advanced users may specify custom rules to allow incoming connections by editing the script included in the ZIP/Install location. Eventually I will provide some examples to allow commonly used services.
Current Release v1.0.2
When rooting devices with Magisk or other solutions I have noticed services & apps running services getting exposed to connected networks and or the internet. This can spell big trouble for your security and privacy. For instance running an app such as Share GPS from the play store which is typically safe on non-rooted phones will make your unencrypted GPS coordinates available on any network via simple command line tools. This is just one example of an app out of millions. With more and more mobile carriers such as T-Mobile and Sprint adopting IPv6 you can be assured that you're receiving a globally accessible non NAT'd IP address. All it would take is one shady app masqueraded as something you like, running a dynamic ip address updater script and an attacker with little know how to completely compromise your life. Trust me I have done the research here & proved every bit of this to be completely possible without being a certified security researcher.
Let's be honest here, the fact that you're holding a phone in your hand means that your life has already been compromised but at least we can mitigate some risk. Running a device with absolutely no firewall because you rooted shouldn't be one of those risk. There are apps out there that can be used as firewalls like AFWall+ but they don't typically act on lower level processes, just the apps. Instead we should implicitly deny all inbound traffic and only allow inbound related to your established connections, which is exactly what this module does. Future versions of the mod will allow advanced users to specify rules, however for most people that won't be needed for day to day activity.
You may wish to customize rules to allow inbound connections to services or apps running on your device. Notice how each "custom" rule contains "-I" option which inserts to top of chain. In this way each new rule will end up on top of the previous. Be careful in how you write rules because they could completely override rules down lower in the chain. Best practice is to make the rule as specific as possible. In general shorter the rule, the more traffic will match and be ACCEPT or REJECTED. Hopefully the rules below can paint the picture. You should always test your rules first using a terminal emulator or ADB shell before saving them to be ran on startup.
The main script for this module is located at:
iptables -I INPUT -j ACCEPT
iptables -I INPUT -i wlan0 -p tcp --dport 5555 -j ACCEPT
iptables -I INPUT -i wlan0 -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp --dport 5555 -j ACCEPT (Assuming IP range 192.168.1.0-255)
iptables -I INPUT -i wlan0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT (Assuming IP range 192.168.1.0-255)
• v1.0 - Initial Release
• v1.0.1 - Added rules to support hotspot func. US T-Mobile users get native IPv6 global addresses. Switch to post-fs-data. Drop packets after rules are in place. Drop tcp and udp to hotspot and clients.
• v1.0.2- Removed unnecessary rules not required for IPv6 hotspot tethering. Added anti spoofing for loopback. Drop all invalid packets. Allow dhcpv6 & ping as its essential.
Log "[postfs.d] [Simple Firewall Rules for Magisk] - Applying IPv4 IPtables" iptables -I INPUT -i wlan0 -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT iptables -I INPUT -i wlan0 -p udp --dport 53 --sport 53 -j ACCEPT iptables -I INPUT -i wlan0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT iptables -I INPUT -p icmp -j ACCEPT -m limit --limit 3/sec --limit-burst 10 -j ACCEPT iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT -i lo -j ACCEPT iptables -I INPUT -s 127.0.0.0/8 ! -i lo -j REJECT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -j REJECT Log "[postfs.d] [Simple Firewall Rules for Magisk] - Applying IPv6 IPtables" ip6tables -I INPUT -d ff02::/64 -j ACCEPT ip6tables -I INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ip6tables -I INPUT -i lo -j ACCEPT ip6tables -I INPUT -s ::1/128 ! -i lo -j REJECT ip6tables -I INPUT -p icmp -j ACCEPT -m limit --limit 3/sec --limit-burst 10 -j ACCEPT ip6tables -I INPUT -p ipv6-icmp -m limit --limit 3/sec --limit-burst 10 -j ACCEPT ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP ip6tables -A INPUT -j REJECT
Attached below is the module. Let me know how it works and if there are any improvements needed. Any suggestions or comments will be taken into consideration. I don't mind users voting that my module is crap (I made the poll) just have the decency to explain to others why.