FORUMS
Remove All Ads from XDA

[5.0+][ROOT][3.2.0-BETA] AFWall+ IPTables Firewall [03 JULY 2019]

1,424 posts
Thanks Meter: 4,764
 
By ukanth, Recognized Developer on 26th October 2012, 05:41 PM
Post Reply Email Thread
23rd May 2019, 02:23 AM |#5391  
Senior Member
Thanks Meter: 25
 
More
Ping: ukanth AFWall+ Feature Request
On your github wiki, it states:
Quote:

The following iptables chains can be used to add custom rules:

afwall - This is the main AFWall+ chain. All OUTPUT packets will pass through it. It is therefore the >perfect place if you want to add rules that apply to any interface.

afwall-3g - This chain will only receive OUTPUT packets for the cellular network interface (no matter >if it is 2G, 3G, 4G, etc).

afwall-wifi - This chain will only receive OUTPUT packets for the WiFi interface.

afwall-reject - This chain should be used as a target when you want to reject and log a >packet. >When the logging is disabled, this is exactly the same as the built-in REJECT target

Please note that all those chains are guaranteed to be cleared before the custom script is executed, so you don't need to worry about rules cleanup on your script IF you are using those chains.

So the only chains we've got available that are guaranteed to be cleared before a custom script is executed pertain to outbound traffic.

Can you set up similar guaranteed-cleared inbound and forward chains? For example, afwall-in and afwall-fw or similar?

Ideally, it'd be great if the user could specify in Preferences whether AFWall+ add automatically-cleared chains for input and forward (output is via the afwall chain already), so we can do custom blocking of exploits, leaks, etc, inbound and outbound.

I've tried setting up my own chains, and they work as long as I start with a completely flushed iptables, but it glitches upon switching profiles in AFWall+, even if I clear the added chains in the scripts. Sometimes it doesn't add the chains at all, thus the rules I want to add to those chains never get set.

Also, for the internal creation and clearing of afwall chain, can you add the --wait flag? During phone bootup, I'm getting "No chain/target/match by that name." and "command 'iptables -A afwall -o cc2mni+ -j afwall-3g' exited with status 4, retrying (attempt x/10)" errors.

{UPDATE}
Ah, I figured out the problem... the afwall chain isn't attached to IPv6! That's why I was getting "No chain/target/match by that name." when setting IPv6 rules for the afwall chain. So we have no custom script filtering abilities in IPv6 unless we use the built-in chains, and in that case, they won't be flushed when switching profiles (I've used eg.: iptables --wait -t INPUT -F in my scripts, but the rules from the previous script / profile still show up in 'Show Rules > Iptables rules', even after pressing 'Refresh', which is what necessitated my flushing all rules, then applying them again).

Can you fix that, please?
{/UPDATE}
The Following 2 Users Say Thank You to Lusty Rugnuts For This Useful Post: [ View ] Gift Lusty Rugnuts Ad-Free
 
 
23rd May 2019, 06:40 PM |#5392  
Junior Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by Lusty Rugnuts

Not if you're using Google Maps, it won't. I use MapFactor Navigator, with OsmAnd map data. That way I can be offline completely and still use GPS, all I need is Location enabled for it to work.

It's strange if AFWall+ is affecting your GPS, it shouldn't... I've got GPS unchecked in all my AFWall+ profiles. Perhaps you've somehow blocked or disabled Fused Location in Settings > Apps?

Nope, Fused Location is one of the apks I haven't disabled. But there's a bunch of others, so I'll have to check each of them.
23rd May 2019, 11:59 PM |#5393  
Senior Member
Thanks Meter: 25
 
More
Ok, I had a chance to dig into my problem a bit more...

Running the command: ip6tables -L -v -n shows:
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15319 1119K afwall all * * ::/0 ::/0
16031 1142K oem_out all * * ::/0 ::/0
16031 1142K firewall all * * ::/0 ::/0
16031 1142K fw_OUTPUT all * * ::/0 ::/0
16031 1142K st_OUTPUT all * * ::/0 ::/0
16031 1142K bw_OUTPUT all * * ::/0 ::/0

So the afwall chain is connected to the OUTPUT chain... so I'm wondering why, when I set simple rules (via a .sh script) such as: $IP6 -A afwall -d 2404:6800:4000::/36 -j DROP, I'm getting "No chain/target/match by that name." for each IPv6 rule I enter? Especially so, since if I manually enter that rule via adb, there is no error.

Can I use the "firewall" chain, rather than the "afwall" chain? It's attached to both INPUT and OUTPUT chains. Is it automatically flushed upon a change of AFWall+ profile?

Here's something else strange:
In my script, I enter the rule:
$IP6 -A afwall -s 2a00:1450:4000::/36 -j REJECT
AFWall+ gives the "No chain/target/match by that name." error in the logs at the bottom of the 'Iptables rules' window.
But the rule does show up under the afwall chain.
Now, when I then issue via superuser adb shell:
ip6tables -D afwall -s 2a00:1450:4000::/36 -j REJECT
ip6tables -D afwall -s 2a00:1450:4000::/36 -j REJECT
I get the expected "ip6tables: Bad rule (does a matching rule exist in that chain?)." because I've deleted that rule.
But if I refresh the AFWall+ 'Iptables rules' window, that rule is still there.
So the AFWall+ Refresh command isn't working correctly.
24th May 2019, 02:00 AM |#5394  
Junior Member
Thanks Meter: 0
 
More
Sorry if this may be asked too much, but I just started using AFWall to block apps that I don't trust like Samsung apps and Swiftkey, but I also use Private Internet Access as my VPN, and it cancels out the AFWall firewall. Is there any way to configure it to work with PIA as my always-on VPN?
25th May 2019, 12:08 AM |#5395  
Senior Member
Thanks Meter: 25
 
More
Ok, I dove deep on the problem, and figured out that AFWall+ must not like the iptables for this system (Android Nougat 7.0.04.13, rooted with TWRP as bootloader and Magisk as root).

I uninstalled AFWall+ and started fresh.

Under:
AFWall+ Preferences > Experimental Features > Startup directory for script, I set it to /data/adb/service.d/
AFWall+ Preferences > Profiles > I enabled multiple profiles and 'Apply rules on profile switch'.
AFWall+ Preferences > Binaries > Iptables binary, I set it to 'Built-in iptables'.
AFWall+ Preferences > Binaries > BusyBox binary, I set it to 'Built-in BusyBox'.

At the top of my .sh scripts, I'd been using (taken from here):
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

I changed it to:
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=ip6tables
IP4=iptables

And I enabled:
[-12] (tethering) - DHCP+DNS services (dev.afwall.special.tether)
... and aside from Nebulo glitching and not passing DNS requests after an AFWall+ profile change (I have to stop Nebulo and start it for it to work... a bug report is in with the app's developer), everything seems to work!

Still need the auto-flush chain on at least the INPUT chain, though. Maybe the app's dev can hang an auto-flush chain off PREROUTING... blocking incoming packets further upstream means fewer CPU cycles consumed in blocking them, and that's important on a battery-operated device.
The Following User Says Thank You to Lusty Rugnuts For This Useful Post: [ View ] Gift Lusty Rugnuts Ad-Free
25th May 2019, 02:03 PM |#5396  
webleeper's Avatar
Senior Member
Flag Long Island, NY
Thanks Meter: 83
 
More
On Pixel 3 XL when disconnecting from WiFi and switching to data, there is no connection available until I turn off afwall, is anyone else seeing this issue and does anyone have a workaround
25th May 2019, 02:21 PM |#5397  
Oswald Boelcke's Avatar
Forum Moderator / Recognized Translator
Flag Preserving Air Supremacy over XDA!
Thanks Meter: 6,955
 
More
Quote:
Originally Posted by Lusty Rugnuts

...

Thanks very much for your excellent elaboration, which can certainly be very valuable for other members. However, I've to admit that it doesn't really apply to me. Additionally I'm surprised what did lead you to the assumption I would or could use anything by Google? Ok, just to be honest there's one exception: I have one Google application installed that is the Google Play Store modified by Setalphia. Otherwise, no Google services or applications. But this is certainly not commonly known, and I cannot truely assume that my following threads have been read:
https://forum.xda-developers.com/and...3-lte-t3478287
https://forum.xda-developers.com/and...te-gt-t3553620
https://forum.xda-developers.com/ras...-pi-3-t3768983


The reason why I've DNS over netd disabled is explained at the end of this post. I do not intend to refrain from this configuration.


I've also tested quite a few keyboards including Hacker's Keyboard but never ever the Google keyboard as it doesn't comply with my personal privacy policy i.e. again wondering that it had to be mentioned in context with my person. Hacker's Keyboard layout didn't suit my personal purposes and preferences at all; I'm well aware about the con's of my current keyboard, which are easily to defeat including by support of AFWall+ (just mentioning in order to also make this paragraph on-topic for this thread).
25th May 2019, 02:22 PM |#5398  
Oswald Boelcke's Avatar
Forum Moderator / Recognized Translator
Flag Preserving Air Supremacy over XDA!
Thanks Meter: 6,955
 
More
Quote:
Originally Posted by webleeper

On Pixel 3 XL when disconnecting from WiFi and switching to data, there is no connection available until I turn off afwall, is anyone else seeing this issue and does anyone have a workaround

No connection on mobile data or no internet access?
25th May 2019, 03:03 PM |#5399  
webleeper's Avatar
Senior Member
Flag Long Island, NY
Thanks Meter: 83
 
More
Quote:
Originally Posted by Oswald Boelcke

No connection on mobile data or no internet access?

Both until I disable Afwall, once I disable it, everything works
27th May 2019, 07:32 AM |#5400  
Senior Member
Thanks Meter: 61
 
More
Can someone tell me the reason for the usage of slashes in ip addresses?
For instance: 224.0.0.0/4
27th May 2019, 10:18 AM |#5401  
Member
Thanks Meter: 30
 
More
Quote:
Originally Posted by Estebanium

Can someone tell me the reason for the usage of slashes in ip addresses?
For instance: 224.0.0.0/4

CIDR is the short for Classless Inter-Domain Routing, an IP addressing scheme that replaces the older system based on classes A, B, and C. A single IP address can be used to designate many unique IP addresses with CIDR. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix. CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations.
https://www.ipaddressguide.com/cidr
The Following 2 Users Say Thank You to vip5912 For This Useful Post: [ View ] Gift vip5912 Ad-Free
Post Reply Subscribe to Thread

Tags
block internet, droidwall, firewall, iptables, security

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes