android手机iptables实现教育网免费ip过滤

参考文献

1.用iptables做网关和IP过滤的问题

2.关于IPTABLES在Fedora5中过滤ip的完美解决方案

3.CM7 iptables补丁,DroidWall亲测能用了

 

wifi连无线路由服务器上网,路由器没有ip过滤,于是利用iptables建立一个ip过滤

首先手机必须是root过,并且能运行busybox

由于多数android手机的iptables都被阉割,所以如果代码不能正常使用出现getsockopt for multiport failed strangely: No such file or directory之类问题,需要用kang.project-voodoo.org/f/iptables-cm7-kang.zip进行添加或替换到/system/bin下

参考了hexing和tingxx同学的代码,重写程序如下

 

nat.sh:

#!/bin/sh
#PATH=$PATH:/usr/sbin:/sbin

#### configue begin ###############################################################################

#myip is the outside IP
myip="192.168.1.188"
#intra is the inside network,you only can use the 192.168.0.0/24
#172.16.0.0/16
intra="192.168.1.0/24"
#ethout is the ethernet which connect the outside network
ethout="tiwlan0"
#htmladdr is the web addr have the free IP
htmladdr="http://hitsun.hit.edu.cn/freeip2011.12.htm"
####configure end 

# download the free ip html file from the web, the timeout to 20 seconds, and the retries number is 2
wget -O freeip.htm $htmladdr -T 20 -t 2
#test whether the download is succesful, if failure, write it to the log file and exit

#get freeip tables
fip=`cat freeip.htm | busybox grep -o '[0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}' | busybox awk -f ./awkfile.sh`

echo "get freeip succesfully!"
#################get freeip end###########################################################################

echo "set iptables rules..."
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

for x in $fip
    do
        iptables -A INPUT -i $ethout -s $x -j ACCEPT
        iptables -A OUTPUT -o $ethout -s $myip -d $x -j ACCEPT
        iptables -A FORWARD -i $ethout -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i $ethout -s $intra -d $x -j ACCEPT
    done
# iptables -A FORWARD -j DROP

iptables -A INPUT -i $ethout -s $intra -j ACCEPT
iptables -A OUTPUT -o $ethout -d $intra -j ACCEPT

 

awkfile.sh

{
if(NR % 3 ==1)
network=$0
else if(NR %3 ==0)
{
netmask= $0
OFS="/"
print network,netmask
}
} 

 

在超级终端中cd到文件所在文件夹,输入busybox chmod +x nat.sh

然后输入sh nat.sh就可以运行ip过滤了~enjoy it

iptables-cm7-kang.zip

posted on 2012-02-21 20:27  lartely  阅读(3406)  评论(0编辑  收藏  举报

导航