Skip to content

Instantly share code, notes, and snippets.

@xdtianyu
Forked from pagxir/iptables.ash
Created February 16, 2018 23:36
Show Gist options
  • Save xdtianyu/686fc8f05d738d93536f617c2bfd543f to your computer and use it in GitHub Desktop.
Save xdtianyu/686fc8f05d738d93536f617c2bfd543f to your computer and use it in GitHub Desktop.
share vpn over tethering for android 4.4+
#!/system/bin/sh
# log -t IPTABLES -- $@
# iptables -w -t mangle -A INPUT -i tun0 -j MARK --set-mark 0x3006a
IPTABLES="/system/bin/iptables.oem iptables"
need_arg=0;
last_cmd="";
IIF=""
TABLE=""
CHAIN=""
TARGET=""
SETMARK=""
for arg in $* ; do
prev_arg=$need_arg;
need_arg=0;
if [ $prev_arg -eq 0 ]; then
case $arg in
-w)
;;
-D | -A | -t | -i | -j | --set-mark)
last_cmd=$arg;
need_arg=1;
;;
*)
# log -t IPTABLES failure command $last_cmd $arg;
exec $IPTABLES $@;
exit -1;
;;
esac
else
case $last_cmd in
-A | -D)
CHAIN=$arg;
;;
-t)
TABLE=$arg;
;;
-i)
IIF=$arg;
;;
-j)
TARGET=$arg;
;;
--set-mark)
SETMARK=$arg;
;;
*)
log -t IPTABLES failure command $last_cmd $arg;
exec $IPTABLES $@;
exit -1;
;;
esac;
fi;
done;
oem_dozable_prepare() {
if $IPTABLES -w -n -L oem_in |grep "0 references"; then
log -t IPTABLES "dozable_prepare is inject INPUT/OUTPUT rule";
$IPTABLES -w -I INPUT -j oem_in;
fi;
$IPTABLES -nxv -L fw_standby | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
$IPTABLES -nxv -L fw_dozable | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
$IPTABLES -nxv -L fw_OUTPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
$IPTABLES -nxv -L fw_INPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
$IPTABLES -nxv -L bw_OUTPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
$IPTABLES -nxv -L bw_INPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
$IPTABLES -nxv -L OUTPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
$IPTABLES -nxv -L INPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
}
if [ X$TABLE == X"filter" -a X$CHAIN == X"fw_OUTPUT" -a X$TARGET == X"fw_dozable" ]; then
oem_dozable_prepare;
fi;
if [ X$TABLE == X"filter" -a X$CHAIN == X"fw_INPUT" -a X$TARGET == X"fw_dozable" ]; then
oem_dozable_prepare;
fi;
if [ X"$IIF" == X"tun0" -a X$TABLE == X"mangle" -a X$CHAIN == X"INPUT" -a X$TARGET == X"MARK" ]; then
$IPTABLES -t mangle -F VPNTAG
$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark $(($SETMARK+0x90000))
echo $IPTABLES -t mangle -A VPNTAG -j MARK --set-mark $(($SETMARK+0x90000))| xargs log -t IPTABLES --
ip rule add fwmark 0x0/0xf0000 uidrange 0-0 iif lo lookup 97 pref 11100
ip rule add fwmark 0x0/0xf0000 uidrange 9999-9999 iif lo lookup 97 pref 11100
fi;
# log -t IPTABLES -- $@
exec /system/bin/iptables.oem iptables $@
#!/system/bin/sh
PATH=$PATH:/system/bin
LOGTAG=IPTABLES
IPTABLES="/system/bin/iptables.oem iptables"
#$IPTABLES -A oem_nat_pre -i tun0
#$IPTABLES -A POSTROUTING -t nat -o rmnet+ -j MASQUERADE
RELEASE=$(getprop ro.build.version.release)
#$IPTABLES -L -t mangle | sed "s/\r/\0/" |xargs -0 -n 1 log -t $LOGTAG
#$IPTABLES -A oem_out -j ACCEPT
$IPTABLES -A oem_fwd -j ACCEPT
$IPTABLES -w -A oem_out -p udp --dport 138 -j ACCEPT;
$IPTABLES -w -A oem_out -p udp --dport 53 -j ACCEPT;
$IPTABLES -w -A oem_out -p icmp -j ACCEPT
if $IPTABLES -w -N oem_in ; then
$IPTABLES -w -A oem_in -p udp --sport 138 -j ACCEPT;
$IPTABLES -w -A oem_in -p udp --sport 53 -j ACCEPT;
$IPTABLES -w -A oem_in -p icmp -j ACCEPT
fi;
$IPTABLES -t mangle -N NOTAG
$IPTABLES -t mangle -N oem_mangle_out
$IPTABLES -I OUTPUT -t mangle -p udp -j oem_mangle_out
$IPTABLES -A oem_mangle_out -t mangle -p udp -d 192.168.40.0/21 --sport 53 --goto NOTAG
$IPTABLES -A oem_mangle_out -t mangle -p udp -d 192.168.40.0/21 --sport 67 --dport 68 --goto NOTAG
$IPTABLES -t mangle -N VPNTAG
case $RELEASE in
4.*.*)
$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0x3c
;;
5.*.*)
$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp --dport 53 ! -s 192.168.40.0/21 -j MARK --set-mark 0x0/0xfffff
$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp -d 192.168.40.0/21 --goto NOTAG
$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000/0xfffff
;;
6.*.*)
log -t $LOGTAG prepare iptables mangle rule for android M
$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp --dport 53 ! -s 192.168.40.0/21 -j MARK --set-mark 0x0/0xfffff
$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp -d 192.168.40.0/21 --goto NOTAG
$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000/0xfffff
;;
7.*.*)
log -t IPTABLES "android 7.0 not support yet"
;;
*)
$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000
;;
esac
$IPTABLES -t mangle -N oem_mangle_pre
$IPTABLES -A oem_mangle_pre -t mangle -d 0.0.0.0/8 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 10.0.0.0/8 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 127.0.0.0/8 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 172.16.0.0/12 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 192.168.0.0/16 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 169.254.0.0/16 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 224.0.0.0/3 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -p udp -s 192.168.0.0/16 --goto VPNTAG
$IPTABLES -A oem_mangle_pre -t mangle -p tcp -s 192.168.0.0/16 --goto VPNTAG
$IPTABLES -A PREROUTING -t mangle -p tcp ! -i tun+ -j oem_mangle_pre
$IPTABLES -A PREROUTING -t mangle -p udp ! -i tun+ -j oem_mangle_pre
$IPTABLES -A PREROUTING -t raw -i tun0 -p tcp -d 192.168.0.0/20 -j NOTRACK
$IPTABLES -A PREROUTING -t raw -i tun0 -p udp -d 192.168.0.0/20 -j NOTRACK
$IPTABLES -A PREROUTING -t raw -i wlan0 -p tcp -s 192.168.0.0/20 -j NOTRACK
$IPTABLES -A PREROUTING -t raw -i wlan0 -p udp -s 192.168.0.0/20 -j NOTRACK
echo 1 > /proc/sys/net/ipv4/ip_forward
test X$(getprop persist.sys.strictmode.visual) = X"1"
test X$(getprop persist.logd.size) = X"4194304"
test X$(getprop persist.sys.ui.hw) = X"true"
getprop persist.sys.usb.config | grep adb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment