[5.0+][ROOT][3.6.0] AFWall+ IPTables Firewall [28 AUG 2023]

KonkavJS · Jul 17, 2019

I was googleing around, and found something. There is a string matching possibility in iptables. So I connected to my phone over ADB, and listed policy's with

Code:

iptables -L -n --line-numbers

. Found out, that there is an 'afwall-wifi-wan' chain with a bunch of 'owner UID match <number>' . So I added:

Code:

iptables -I afwall-wifi-wan 44 -m owner --uid-owner 1000 -m string --string "generate_204" --algo bm -j RETURN
iptables -I afwall-wifi-wan 45 -m owner --uid-owner 1000 -m string --string "generate204" --algo bm -j RETURN
iptables -I afwall-wifi-wan 46 -m owner --uid-owner 1000 -m string --string "clients3.google.com" --algo bm -j RETURN

This should made the UID 1000, specifically the System UI, to connect to the google server to get the HTTP Response 204 (I tried to make sure, that the connection would go through). The iptables added just fine, I could list it, but unfortunately, it didn't work. And I don't know why. I have no experience in Android development. If somebody more experienced stop by, could please shred some light on this?

And yes , I was surprised that I found out, that there is a tcpdump on (at least my) phone.

Somebody maybe some idea?

Iolaum · Jul 20, 2019

Hello,

I am considering using AFWall+. However I do not like rooting my devices. I prefer to use adb since on userdebug builds you can get root access through adb. That way I can grant special permissions to apps that need it. For example android.permission.READ_LOGS to MatLog Libre. Is it possible to use AFWall the same way? Meaning to install AFWall, and then use adb to give AFWall permissions a user will normally not be able to give through the UI, and then have AFWall function normally?

markd89 · Jul 20, 2019

Phone flaky on connecting LTE but works with AFWall+ disabled

Hi,

I donated a couple of months ago.. I just got a "new" phone - Oneplus 5, LineageOS 16 MicroG running on T-Mobile in the USA. I have VolTE and VoWifi enabled.
I'm using AFWall 3.1 and haven't reinstalled the unlock key yet.

Main issue/question: With AFWall+ running the data connection will eventually show no bars. If I turn off AFWall+ then I quickly get back to LTE or LTE+

The log doesn't seem to work reliably. i.e. Right now it's showing something blocked 8 hours ago. I do see "weird ****" under Linux Kernel (-11) with lots of blocked connections: sky300-1.mail.vip.gq1.yahoo.com , amazonaws and other things that don't resolve to names. Curiously, (-11) shows allowed for Wifi and Mobile Data even though things are getting blocked.

Any suggestions on any of this, but most importantly the LTE connection, please let me know.

Thanks!
Mark

NYLimited · Jul 20, 2019

markd89 said:
Main issue/question: With AFWall+ running the data connection will eventually show no bars. If I turn off AFWall+ then I quickly get back to LTE or LTE+

To be honest I'm not sure I could figure out how AFWall or IPtables would change the signal strength or the bars which are only an indication of signal strength. I realize this is not very helpful but it has me scratching my head.

voroxda · Jul 20, 2019

Hi,
may be someone is able to help me? Unfortunately I am a little bit lazy, and I not really want to learn the ip-tables based rule syntax.
Now to my little problem, Google maps is on my device a great battery drainer, so first of all I disabled not needed services and broadcast receiver, second I disabled (freeze) the whole app, but the lovely company Google enables the app automatically again. Now I use the last possibility: if maps not needed I deinstall it (only the settings remains), and if needed I installed again. All steps are fully automated by tasker and lasts less than 2 seconds. At least I have to grant internet access again to Google maps. Does a possibility exists to automate this (granting internet access to Google maps on wlan and mobile)?
May be a afwall rule or sending an intent to afwall and how is the syntax.
Any hint is very appreciated.

Best regards

Sent from my Galaxy S8+ using XDA Labs

markd89 · Jul 20, 2019

NYLimited said:
To be honest I'm not sure I could figure out how AFWall or IPtables would change the signal strength or the bars which are only an indication of signal strength. I realize this is not very helpful but it has me scratching my head.

The signal eventually drops to nothing. I'm thinking that there's a system process which is trying to connect somewhere to know that it has a good data connection.

Any ideas very welcome! Even with LOS it seems like there's plenty of unnecessary traffic that can be blocked.

Thanks again,
Mark

zarere · Jul 22, 2019

markd89 said:
The signal eventually drops to nothing. I'm thinking that there's a system process which is trying to connect somewhere to know that it has a good data connection.

Any ideas very welcome! Even with LOS it seems like there's plenty of unnecessary traffic that can be blocked.

Thanks again,
Mark

If you know German you can use
https://www.kuketz-blog.de/shelter-big-brother-apps-isolieren-take-back-control-teil7/
I"m posting the last (thread 7) since it has all links to the previous 6 threads.
If you don't know German use google translator. (It shows great results from German to English.)

mocarela · Jul 22, 2019

voroxda said:
Does a possibility exists to automate this (granting internet access to Google maps on wlan and mobile)?

Applies for rooted shell...
With cat /data/system/packages.list | grep com.application.name | awk 'BEGIN {FS=" "} {print $2}' you get the UUID of an application.
Then iptables -I afwall-wifi-wan 1 -m owner $UUID -j RETURN grants access on wifi.
You can limit the destination with additional parameters -d X.Y.W.Z before -j RETURN.
And use the script for your automation process also in AFWall+.

voroxda · Jul 23, 2019

mocarela said:
Applies for rooted shell...
With cat /data/system/packages.list | grep com.application.name | awk 'BEGIN {FS=" "} {print $2}' you get the UUID of an application.
Then iptables -I afwall-wifi-wan 1 -m owner $UUID -j RETURN grants access on wifi.
You can limit the destination with additional parameters -d X.Y.W.Z before -j RETURN.
And use the script for your automation process also in AFWall+.

Great thanks to mocarela :good:

That is for me the beginning to step into the iptables works. The statement to find out Uuid for Google maps works perfect. To grant internet access I have to adapt the chain itself and a little bit the syntax:

iptables -I afwall -m owner --uid-owner $UUID -j RETURN || exit

It works, but Afwall+ does not see the change?? Do I have to start an afwall applying/import command? But this is not important. Now I am able to grant temporarily access to internet for a special app, and that's want I wanted.
Again great thanks to mocarela.

Sent from my Galaxy S8+ using XDA Labs

mocarela · Jul 23, 2019

voroxda said:
It works, but Afwall+ does not see the change??

AFWall+ won't see any rules created with external tools, since it doesn't parse existing. It just applies its own.
Thus... use also custom scripts (applying the external script you actually use) with AFWall+, otherwise it will delete the one for Maps created by the external script on its first run afterwards.

mocarela · Jul 23, 2019

KonkavJS said:
Somebody maybe some idea?

One thing that is wrong in your command, but this is not the cause it does not work (because after all the first rule would suffice), is that dots are not used in network packets. For details google "iptables string dots". So, in your third command you should use -m string --hex-string "|08|clients3|06|google|03|com".

I think the problem here is that "internet check" in question does not work simply as that anymore. I was able to narrow down the rules to:

Code:

iptables -I afwall-wifi-wan -m owner --uid-owner 1000 -d 172.217.19.99 -p tcp --destination-port 80 -j RETURN
iptables -I afwall-wifi-wan -m owner --uid-owner 1000 -d 216.58.214.227 -p tcp --destination-port 80 -j RETURN

I said narrow down, because it might depend on the location and the moment of execution of the check. After a while "System" will check some other hosts or its hardcoded hostnames will change their IPs and it won't work anymore.

So, the only thing that constantly works for me is the following:

Code:

iptables -I afwall-wifi-wan -m owner --uid-owner 1000 -d 172.217.0.0/16 -p tcp --destination-port 80 -j RETURN
iptables -I afwall-wifi-wan -m owner --uid-owner 1000 -d 216.58.214.0/24 -p tcp --destination-port 80 -j RETURN

That's all I was able to do so far.

Not much, but better than nothing.

mocarela · Jul 23, 2019

Problem again... I just realized that rules are not applied at boot without manually applying them. I even don't have any script in the folder selected (in my case /data/adb/service.d).
So, what else do I need to enable on Xiaomi Mi 9 SE with MIUI 10.2.2 Global in order to get rules applied on boot? JFTR, I haven't disabled boot completed receiver or anything similar.

n0j0e · Jul 24, 2019

Can someone light me up why so many apps sorted as one app?

TiTiB · Jul 25, 2019

n0j0e said:
Can someone light me up why so many apps sorted as one app?

Yesh, check this out. Samsung Galaxy Tab S5e

Ultramanoid · Jul 25, 2019

TiTiB said:
Yesh, check this out. Samsung Galaxy Tab S5e 。。。

You don't have a Samsung, a Samsung has you.
　

TiTiB · Jul 25, 2019

Ultramanoid said:
You don't have a Samsung, a Samsung has you.

But I now have root, so F'em!

temporarium · Jul 25, 2019

n0j0e said:
Can someone light me up why so many apps sorted as one app?

Excellent point/question. Any chains expert?

zarere · Jul 25, 2019

temporarium said:
Excellent point/question. Any chains expert?

Maybe related to https://developer.android.com/guide/topics/manifest/manifest-element.html#uid

and https://developer.android.com/guide/components/fundamentals

It's possible to arrange for two apps to share the same Linux user ID, in which case they are able to access each other's files. To conserve system resources, apps with the same user ID can also arrange to run in the same Linux process and share the same VM. The apps must also be signed with the same certificate

Ultramanoid · Jul 25, 2019

TiTiB said:
But I now have root, so F'em!

I still find it truly mind boggling, and extremely worrisome. I can't be bothered to count that list / monstrosity, but for reference here are the 11 ( which I think are already too many ) under 1000 in my system.
　

TiTiB · Jul 25, 2019

Ultramanoid said:
I still find it truly mind boggling, and extremely worrisome. I can't be bothered to count that list / monstrosity, but for reference here are the 11 ( which I think are already too many ) under 1000 in my system.

I am an *extreme* debloater—I recently totally locked up my Tab S5e by messing with Samsung Payment/kgclient and had to go back to stock and start all over again—my nic stands for Tweak it Til it Breaks, after all. I am also, at heart, a minimalist, and strive to rid my devices of *everything* that is, imo, non-essential.

Privacy intruding apps/ops are my first targets and am willing to suffer crashes/lockups to see how much I can disable/delete/deactivate, et al. Four of my favorite tools are 3C Toolbox Pro, MyAndroidTools, App Ops by Xingchen & Rikk, and, of course, AFWall+.

[5.0+][ROOT][3.6.0] AFWall+ IPTables Firewall [28 AUG 2023]

New member

Member

Senior Member

Inactive Recognized Contributor

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Attachments

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Top Liked Posts