xdtianyu/iptables.ash

## iptables.ash
#!/system/bin/sh

# log -t IPTABLES -- $@
# iptables -w -t mangle -A INPUT -i tun0 -j MARK --set-mark 0x3006a
IPTABLES="/system/bin/iptables.oem iptables"

need_arg=0;
last_cmd="";

IIF=""
TABLE=""
CHAIN=""
TARGET=""
SETMARK=""

for arg in $* ; do
	prev_arg=$need_arg;
	need_arg=0;
	if [ $prev_arg -eq 0 ]; then

		case $arg in
			-w)
			;;

			-D | -A | -t | -i | -j | --set-mark)
				last_cmd=$arg;
				need_arg=1;
			;;

			*)
				# log -t IPTABLES failure command $last_cmd $arg;
				exec $IPTABLES $@;
				exit -1;
			;;

		esac
	else
		case $last_cmd in
			-A | -D)
				CHAIN=$arg;
			;;

			-t)
				TABLE=$arg;
			;;

			-i)
				IIF=$arg;
			;;

			-j)
				TARGET=$arg;
			;;

			--set-mark)
				SETMARK=$arg;
			;;

			*)
				log -t IPTABLES failure command $last_cmd $arg;
				exec $IPTABLES $@;
				exit -1;
			;;
		esac;
	fi;
done;

oem_dozable_prepare() {
	if $IPTABLES -w -n -L oem_in |grep "0 references"; then
		log -t IPTABLES "dozable_prepare is inject INPUT/OUTPUT rule";
		$IPTABLES -w -I INPUT -j oem_in;
	fi;

	$IPTABLES -nxv -L fw_standby | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
	$IPTABLES -nxv -L fw_dozable | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --

	$IPTABLES -nxv -L fw_OUTPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
	$IPTABLES -nxv -L fw_INPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --

	$IPTABLES -nxv -L bw_OUTPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
	$IPTABLES -nxv -L bw_INPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --

	$IPTABLES -nxv -L OUTPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
	$IPTABLES -nxv -L INPUT | sed "s/\r/\0/" |xargs -0 -n 1 log -t IPTABLES --
}

if [ X$TABLE == X"filter" -a X$CHAIN == X"fw_OUTPUT" -a X$TARGET == X"fw_dozable" ]; then
	oem_dozable_prepare;
fi;

if [ X$TABLE == X"filter" -a X$CHAIN == X"fw_INPUT" -a X$TARGET == X"fw_dozable" ]; then
	oem_dozable_prepare;
fi;

if [ X"$IIF" == X"tun0" -a X$TABLE == X"mangle" -a X$CHAIN == X"INPUT" -a X$TARGET == X"MARK" ]; then
	$IPTABLES -t mangle -F VPNTAG
	$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark $(($SETMARK+0x90000))
	echo $IPTABLES -t mangle -A VPNTAG -j MARK --set-mark $(($SETMARK+0x90000))| xargs log -t IPTABLES --
	ip rule add fwmark 0x0/0xf0000 uidrange 0-0 iif lo lookup 97 pref 11100
        ip rule add fwmark 0x0/0xf0000 uidrange 9999-9999 iif lo lookup 97 pref 11100
fi;

# log -t IPTABLES -- $@
exec /system/bin/iptables.oem iptables $@

## oem-iptables-init-z11-minis.sh
#!/system/bin/sh

PATH=$PATH:/system/bin
LOGTAG=IPTABLES
IPTABLES="/system/bin/iptables.oem iptables"

#$IPTABLES -A oem_nat_pre -i tun0
#$IPTABLES -A POSTROUTING -t nat -o rmnet+ -j MASQUERADE
RELEASE=$(getprop ro.build.version.release)

#$IPTABLES -L -t mangle | sed "s/\r/\0/" |xargs -0 -n 1 log -t $LOGTAG

#$IPTABLES -A oem_out -j ACCEPT
$IPTABLES -A oem_fwd -j ACCEPT

$IPTABLES -w -A oem_out -p udp --dport 138 -j ACCEPT;
$IPTABLES -w -A oem_out -p udp --dport 53 -j ACCEPT;
$IPTABLES -w -A oem_out -p icmp -j ACCEPT

if $IPTABLES -w -N oem_in ; then
	$IPTABLES -w -A oem_in -p udp --sport 138 -j ACCEPT;
	$IPTABLES -w -A oem_in -p udp --sport 53 -j ACCEPT;
	$IPTABLES -w -A oem_in -p icmp -j ACCEPT
fi;

$IPTABLES -t mangle -N NOTAG
$IPTABLES -t mangle -N oem_mangle_out
$IPTABLES -I OUTPUT -t mangle -p udp -j oem_mangle_out
$IPTABLES -A oem_mangle_out -t mangle -p udp -d 192.168.40.0/21 --sport 53 --goto NOTAG
$IPTABLES -A oem_mangle_out -t mangle -p udp -d 192.168.40.0/21 --sport 67 --dport 68 --goto NOTAG

$IPTABLES -t mangle -N VPNTAG

case $RELEASE in
	4.*.*)
		$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0x3c
	;;
	5.*.*)
		$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp --dport 53 ! -s 192.168.40.0/21 -j MARK --set-mark 0x0/0xfffff
		$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp -d 192.168.40.0/21 --goto NOTAG
		$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
		$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000/0xfffff
	;;
	6.*.*)
		log -t $LOGTAG prepare iptables mangle rule for android M
		$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp --dport 53 ! -s 192.168.40.0/21 -j MARK --set-mark 0x0/0xfffff
		$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp -d 192.168.40.0/21 --goto NOTAG
		$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
		$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000/0xfffff
	;;
	7.*.*)
		log -t IPTABLES "android 7.0 not support yet"
	;;
	*)
		$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
		$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000
	;;
esac

$IPTABLES -t mangle -N oem_mangle_pre
$IPTABLES -A oem_mangle_pre -t mangle -d 0.0.0.0/8 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 10.0.0.0/8 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 127.0.0.0/8 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 172.16.0.0/12 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 192.168.0.0/16 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 169.254.0.0/16 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -d 224.0.0.0/3 -j RETURN
$IPTABLES -A oem_mangle_pre -t mangle -p udp -s 192.168.0.0/16 --goto VPNTAG
$IPTABLES -A oem_mangle_pre -t mangle -p tcp -s 192.168.0.0/16 --goto VPNTAG

$IPTABLES -A PREROUTING -t mangle -p tcp ! -i tun+ -j oem_mangle_pre
$IPTABLES -A PREROUTING -t mangle -p udp ! -i tun+ -j oem_mangle_pre

$IPTABLES -A PREROUTING -t raw -i tun0 -p tcp -d 192.168.0.0/20 -j NOTRACK
$IPTABLES -A PREROUTING -t raw -i tun0 -p udp -d 192.168.0.0/20 -j NOTRACK

$IPTABLES -A PREROUTING -t raw -i wlan0 -p tcp -s 192.168.0.0/20 -j NOTRACK
$IPTABLES -A PREROUTING -t raw -i wlan0 -p udp -s 192.168.0.0/20 -j NOTRACK

echo 1 > /proc/sys/net/ipv4/ip_forward

test X$(getprop persist.sys.strictmode.visual) = X"1"
test X$(getprop persist.logd.size) = X"4194304"
test X$(getprop persist.sys.ui.hw) = X"true"
getprop persist.sys.usb.config | grep adb
	#!/system/bin/sh

	# log -t IPTABLES -- $@
	# iptables -w -t mangle -A INPUT -i tun0 -j MARK --set-mark 0x3006a
	IPTABLES="/system/bin/iptables.oem iptables"

	need_arg=0;
	last_cmd="";

	IIF=""
	TABLE=""
	CHAIN=""
	TARGET=""
	SETMARK=""

	for arg in $* ; do
	prev_arg=$need_arg;
	need_arg=0;
	if [ $prev_arg -eq 0 ]; then

	case $arg in
	-w)
	;;

	-D \| -A \| -t \| -i \| -j \| --set-mark)
	last_cmd=$arg;
	need_arg=1;
	;;

	*)
	# log -t IPTABLES failure command $last_cmd $arg;
	exec $IPTABLES $@;
	exit -1;
	;;

	esac
	else
	case $last_cmd in
	-A \| -D)
	CHAIN=$arg;
	;;

	-t)
	TABLE=$arg;
	;;

	-i)
	IIF=$arg;
	;;

	-j)
	TARGET=$arg;
	;;

	--set-mark)
	SETMARK=$arg;
	;;

	*)
	log -t IPTABLES failure command $last_cmd $arg;
	exec $IPTABLES $@;
	exit -1;
	;;
	esac;
	fi;
	done;

	oem_dozable_prepare() {
	if $IPTABLES -w -n -L oem_in \|grep "0 references"; then
	log -t IPTABLES "dozable_prepare is inject INPUT/OUTPUT rule";
	$IPTABLES -w -I INPUT -j oem_in;
	fi;

	$IPTABLES -nxv -L fw_standby \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t IPTABLES --
	$IPTABLES -nxv -L fw_dozable \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t IPTABLES --

	$IPTABLES -nxv -L fw_OUTPUT \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t IPTABLES --
	$IPTABLES -nxv -L fw_INPUT \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t IPTABLES --

	$IPTABLES -nxv -L bw_OUTPUT \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t IPTABLES --
	$IPTABLES -nxv -L bw_INPUT \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t IPTABLES --

	$IPTABLES -nxv -L OUTPUT \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t IPTABLES --
	$IPTABLES -nxv -L INPUT \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t IPTABLES --
	}

	if [ X$TABLE == X"filter" -a X$CHAIN == X"fw_OUTPUT" -a X$TARGET == X"fw_dozable" ]; then
	oem_dozable_prepare;
	fi;

	if [ X$TABLE == X"filter" -a X$CHAIN == X"fw_INPUT" -a X$TARGET == X"fw_dozable" ]; then
	oem_dozable_prepare;
	fi;

	if [ X"$IIF" == X"tun0" -a X$TABLE == X"mangle" -a X$CHAIN == X"INPUT" -a X$TARGET == X"MARK" ]; then
	$IPTABLES -t mangle -F VPNTAG
	$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark $(($SETMARK+0x90000))
	echo $IPTABLES -t mangle -A VPNTAG -j MARK --set-mark $(($SETMARK+0x90000))\| xargs log -t IPTABLES --
	ip rule add fwmark 0x0/0xf0000 uidrange 0-0 iif lo lookup 97 pref 11100
	ip rule add fwmark 0x0/0xf0000 uidrange 9999-9999 iif lo lookup 97 pref 11100
	fi;

	# log -t IPTABLES -- $@
	exec /system/bin/iptables.oem iptables $@
	#!/system/bin/sh

	PATH=$PATH:/system/bin
	LOGTAG=IPTABLES
	IPTABLES="/system/bin/iptables.oem iptables"

	#$IPTABLES -A oem_nat_pre -i tun0
	#$IPTABLES -A POSTROUTING -t nat -o rmnet+ -j MASQUERADE
	RELEASE=$(getprop ro.build.version.release)

	#$IPTABLES -L -t mangle \| sed "s/\r/\0/" \|xargs -0 -n 1 log -t $LOGTAG

	#$IPTABLES -A oem_out -j ACCEPT
	$IPTABLES -A oem_fwd -j ACCEPT

	$IPTABLES -w -A oem_out -p udp --dport 138 -j ACCEPT;
	$IPTABLES -w -A oem_out -p udp --dport 53 -j ACCEPT;
	$IPTABLES -w -A oem_out -p icmp -j ACCEPT

	if $IPTABLES -w -N oem_in ; then
	$IPTABLES -w -A oem_in -p udp --sport 138 -j ACCEPT;
	$IPTABLES -w -A oem_in -p udp --sport 53 -j ACCEPT;
	$IPTABLES -w -A oem_in -p icmp -j ACCEPT
	fi;

	$IPTABLES -t mangle -N NOTAG
	$IPTABLES -t mangle -N oem_mangle_out
	$IPTABLES -I OUTPUT -t mangle -p udp -j oem_mangle_out
	$IPTABLES -A oem_mangle_out -t mangle -p udp -d 192.168.40.0/21 --sport 53 --goto NOTAG
	$IPTABLES -A oem_mangle_out -t mangle -p udp -d 192.168.40.0/21 --sport 67 --dport 68 --goto NOTAG

	$IPTABLES -t mangle -N VPNTAG

	case $RELEASE in
	4..)
	$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0x3c
	;;
	5..)
	$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp --dport 53 ! -s 192.168.40.0/21 -j MARK --set-mark 0x0/0xfffff
	$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp -d 192.168.40.0/21 --goto NOTAG
	$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
	$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000/0xfffff
	;;
	6..)
	log -t $LOGTAG prepare iptables mangle rule for android M
	$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp --dport 53 ! -s 192.168.40.0/21 -j MARK --set-mark 0x0/0xfffff
	$IPTABLES -A oem_mangle_out -t mangle -m owner --uid-owner 9999 -p udp -d 192.168.40.0/21 --goto NOTAG
	$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
	$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000/0xfffff
	;;
	7..)
	log -t IPTABLES "android 7.0 not support yet"
	;;
	*)
	$IPTABLES -t mangle -A VPNTAG -j MARK --set-mark 0xc0066
	$IPTABLES -t mangle -A NOTAG -j MARK --set-mark 0x20000
	;;
	esac

	$IPTABLES -t mangle -N oem_mangle_pre
	$IPTABLES -A oem_mangle_pre -t mangle -d 0.0.0.0/8 -j RETURN
	$IPTABLES -A oem_mangle_pre -t mangle -d 10.0.0.0/8 -j RETURN
	$IPTABLES -A oem_mangle_pre -t mangle -d 127.0.0.0/8 -j RETURN
	$IPTABLES -A oem_mangle_pre -t mangle -d 172.16.0.0/12 -j RETURN
	$IPTABLES -A oem_mangle_pre -t mangle -d 192.168.0.0/16 -j RETURN
	$IPTABLES -A oem_mangle_pre -t mangle -d 169.254.0.0/16 -j RETURN
	$IPTABLES -A oem_mangle_pre -t mangle -d 224.0.0.0/3 -j RETURN
	$IPTABLES -A oem_mangle_pre -t mangle -p udp -s 192.168.0.0/16 --goto VPNTAG
	$IPTABLES -A oem_mangle_pre -t mangle -p tcp -s 192.168.0.0/16 --goto VPNTAG

	$IPTABLES -A PREROUTING -t mangle -p tcp ! -i tun+ -j oem_mangle_pre
	$IPTABLES -A PREROUTING -t mangle -p udp ! -i tun+ -j oem_mangle_pre

	$IPTABLES -A PREROUTING -t raw -i tun0 -p tcp -d 192.168.0.0/20 -j NOTRACK
	$IPTABLES -A PREROUTING -t raw -i tun0 -p udp -d 192.168.0.0/20 -j NOTRACK

	$IPTABLES -A PREROUTING -t raw -i wlan0 -p tcp -s 192.168.0.0/20 -j NOTRACK
	$IPTABLES -A PREROUTING -t raw -i wlan0 -p udp -s 192.168.0.0/20 -j NOTRACK

	echo 1 > /proc/sys/net/ipv4/ip_forward

	test X$(getprop persist.sys.strictmode.visual) = X"1"
	test X$(getprop persist.logd.size) = X"4194304"
	test X$(getprop persist.sys.ui.hw) = X"true"
	getprop persist.sys.usb.config \| grep adb