iptables学习
droidwall.sh
#!/system/bin/sh IPTABLES=iptables BUSYBOX=busybox GREP=grep ECHO=echo # Try to find busybox if /data/data/com.example.my_android_wall/app_bin/busybox_g1 --help >/dev/null 2>/dev/null ; then BUSYBOX=/data/data/com.example.my_android_wall/app_bin/busybox_g1 GREP="$BUSYBOX grep" ECHO="$BUSYBOX echo" elif busybox --help >/dev/null 2>/dev/null ; then BUSYBOX=busybox elif /system/xbin/busybox --help >/dev/null 2>/dev/null ; then BUSYBOX=/system/xbin/busybox elif /system/bin/busybox --help >/dev/null 2>/dev/null ; then BUSYBOX=/system/bin/busybox fi # Try to find grep if ! $ECHO 1 | $GREP -q 1 >/dev/null 2>/dev/null ; then if $ECHO 1 | $BUSYBOX grep -q 1 >/dev/null 2>/dev/null ; then GREP="$BUSYBOX grep" fi # Grep is absolutely required if ! $ECHO 1 | $GREP -q 1 >/dev/null 2>/dev/null ; then $ECHO The grep command is required. DroidWall will not work. exit 1 fi fi # Try to find iptables # Added if iptables binary already in system then use it, if not use implemented one if ! command -v iptables &> /dev/null; then if /data/data/com.example.my_android_wall/app_bin/iptables_armv5 --version >/dev/null 2>/dev/null ; then IPTABLES=/data/data/com.example.my_android_wall/app_bin/iptables_armv5 fi fi $IPTABLES --version || exit 1 # Create the droidwall chains if necessary $IPTABLES -L droidwall >/dev/null 2>/dev/null || $IPTABLES --new droidwall || exit 2 $IPTABLES -L droidwall-3g >/dev/null 2>/dev/null || $IPTABLES --new droidwall-3g || exit 3 $IPTABLES -L droidwall-wifi >/dev/null 2>/dev/null || $IPTABLES --new droidwall-wifi || exit 4 $IPTABLES -L droidwall-reject >/dev/null 2>/dev/null || $IPTABLES --new droidwall-reject || exit 5 # Add droidwall chain to OUTPUT chain if necessary $IPTABLES -L OUTPUT | $GREP -q droidwall || $IPTABLES -A OUTPUT -j droidwall || exit 6 # Flush existing rules $IPTABLES -F droidwall || exit 7 $IPTABLES -F droidwall-3g || exit 8 $IPTABLES -F droidwall-wifi || exit 9 $IPTABLES -F droidwall-reject || exit 10 # Create the reject rule (log disabled) $IPTABLES -A droidwall-reject -j REJECT || exit 11 # Main rules (per interface) $IPTABLES -A droidwall -o rmnet+ -j droidwall-3g || exit $IPTABLES -A droidwall -o pdp+ -j droidwall-3g || exit $IPTABLES -A droidwall -o ppp+ -j droidwall-3g || exit $IPTABLES -A droidwall -o uwbr+ -j droidwall-3g || exit $IPTABLES -A droidwall -o wimax+ -j droidwall-3g || exit $IPTABLES -A droidwall -o vsnet+ -j droidwall-3g || exit $IPTABLES -A droidwall -o ccmni+ -j droidwall-3g || exit $IPTABLES -A droidwall -o usb+ -j droidwall-3g || exit $IPTABLES -A droidwall -o tiwlan+ -j droidwall-wifi || exit $IPTABLES -A droidwall -o wlan+ -j droidwall-wifi || exit $IPTABLES -A droidwall -o eth+ -j droidwall-wifi || exit $IPTABLES -A droidwall -o ra+ -j droidwall-wifi || exit # Filtering rules $IPTABLES -A droidwall-3g -m owner --uid-owner 10079 -j droidwall-reject || exit $IPTABLES -A droidwall-wifi -m owner --uid-owner 10079 -j droidwall-reject || exit exit
iptables -N[X] demo
iptables -A[D] demo -j REJECT -m owner --uid-owner u0_a74
iptables -A[D] OUTPUT -j demo