oem-iptables-init.sh

oem-iptables-init.sh

openGSM

#!/system/bin/sh

#

IP6TABLES=/system/bin/ip6tables 

IPTABLES=/system/bin/iptables

CHAIN=oem_out

#OEM_SCRIPT_PATH=/system/bin/oem-iptables-init.sh

#

#

#

function iptable {

#

success="no"

loopcounter="3"


while test "$success" == "no";

do

#

IFS=""

# --wait Wait for the xtables lock. To prevent multiple instances of the program 

# from running concurrently, an attempt will be made to obtain an exclusive 

# lock at launch. By default, the program will exit if the lock cannot be obtained. 

# This option will make the program wait until the exclusive lock can be obtained. 


$IPTABLES $* --wait


if test "$?" == 0 ;

then

# success branch

success="yes"

# return from function

return 0


else

# false branch

$IPTABLES -A $CHAIN -m comment --comment 'ERROR!!! IPtables INIT Recoverable ERROR!!!' -j LOG --wait

# decrement counter

loopcounter=`expr $loopcounter - 1`

# 3 false attmpts - exiting

if test $loopcounter == "0"

then

# return from function with error 

$IPTABLES -A $CHAIN -m comment --comment 'ERROR!!! IPtables INIT UNRECOVERABLE ERROR!!!' -j LOG --wait

return 1

fi

fi

done

}


#

# Disable IPv6 support

#/system/bin/sysctl -w net.ipv6.conf.wlan0.disable_ipv6=1

#

$IP6TABLES -F

$IP6TABLES -P INPUT DROP

$IP6TABLES -P OUTPUT DROP

$IP6TABLES -P FORWARD DROP

#

# Block IPv6 output traffic

$IP6TABLES -A $CHAIN --protocol all --jump DROP

#

# Intercepting all internal traffic

iptable -A $CHAIN --protocol all --source 127.0.0.0/8 --destination 127.0.0.0/8 -m comment --comment 'Accept internal traffic' --jump ACCEPT

#

# Drop any traffic which doesn`t have UID. VERY IMPORTANT!!!!

iptable -A $CHAIN --protocol all -m owner ! --uid-owner 0-99999 -m comment --comment 'Drop any traffic which does not have UID.' --jump DROP

#

##########################

# Please put all static filterig rules here.

##########################

# Single IP address filtering rule

 iptable -A $CHAIN --protocol all --destination 58.83.160.224/255.255.255.255 -m comment --comment "Chinas ad host" --jump DROP

# Example of static IP subnet filtering

 iptable -A $CHAIN --protocol all --destination 54.192.230.0/255.255.255.0 -m comment --comment "Blocked Xiaomi servers subnet" --jump DROP

#

 iptable -A $CHAIN --protocol all --destination 52.74.0.0/255.255.0.0 -m comment --comment 'Blocked Xiaomi servers big subnet' --jump DROP

#

 iptable -A $CHAIN --protocol all --destination 74.125.232.0/255.255.255.0 -m comment --comment "Blocked Google US servers subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 173.194.0.0/255.255.0.0 -m comment --comment "Blocked Google US big subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 216.58.0.0/255.255.0.0 -m comment --comment "Blocked Google US big subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 172.217.17.0/255.255.255.0 -m comment --comment "Blocked Google DE servers subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination

103.235.46.0/255.255.255.0 -m comment --comment "Blocked Hong Kong leks=) servers subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 123.125.114.0/255.255.255.0 -m comment --comment "Blocked China Beijing leeks servers subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 14.17.0.0/255.255.0.0 -m comment --comment "Blocked China Guangzhou leeks big servers subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 103.7.0.0/255.255.0.0 -m comment --comment "Blocked China Shenzhen leeks big servers subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 123.125.114.0/255.255.255.0 -m comment --comment "Blocked China Beijing leeks servers subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 183.61.0.0/255.255.0.0 -m comment --comment "Blocked China Guangzhou leeks big servers subnet" --jump DROP

 iptable -A $CHAIN --protocol all --destination 120.198.0.0/255.255.0.0 -m comment --comment "Blocked China Zhaoqing leeks big servers subnet" --jump DROP


#################

# Start of per package UID filtration

# Process UID 0 (root) sends DNS queries to external servers.

# So domain name filtration must be here.

#

# Block DNS queries to Xiaomi and their partners domains

#

# miui.com

# xiaomi.com

# xiaomi.net

# mi-idc.com

# ksmobile.com

# mi.com

# qq.com

# tencent-cloud.net

# mgslb.com

# swiftkey.com

# swiftkey.net

# touchtype-fluency.com

# mi1.cc

# ksosoft.com

# kingsoft.com

# sandai.net

# kingsoft-office-service.com

# crashlytics.com

# duokanbox.com

# avlyun.com

# hshh.org

#

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|04|miui|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for miui.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|06|xiaomi|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for xiaomi.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|06|xiaomi|03|net|00|' -m comment --comment 'Deny UID 0 DNS queries for xiaomi.net domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|06|mi-idc|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for mi-idc.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|08|ksmobile|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for ksmobile.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|02|mi|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for mi.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|02|qq|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for qq.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|0d|tencent-cloud|03|net|00|' -m comment --comment 'Deny UID 0 DNS queries for tencent-cloud.net domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|05|mgslb|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for mgslb.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|08|swiftkey|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for swiftkey.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|08|swiftkey|03|net|00|' -m comment --comment 'Deny UID 0 DNS queries for swiftkey.net domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|11|touchtype-fluency|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for touchtype-fluency domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|03|mi1|02|cc|00|' -m comment --comment 'Deny UID 0 DNS queries for mi1.cc domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|07|ksosoft|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for ksosoft.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|08|kingsoft|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for kingsoft.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|06|sandai|03|net|00|' -m comment --comment 'Deny UID 0 DNS queries for sandai.net domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|17|kingsoft-office-service|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for kingsoft-office-service.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|0b|crashlytics|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for crashlytics.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|09|duokanbox|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for duokanbox.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|06|avlyun|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for avlyun.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|04|hshh|03|org|00|' -m comment --comment 'Deny UID 0 DNS queries for hshh.org domain' -j DROP

#

# Google domains names and codes DNS filtering

#

# googleapis.com

# gstatic.com

# google.com

# google.ru

# googleadservices.com

# doubleclick.net

# doubleclickbygoogle.com

# youtube.com

# googlezip.net

# gvt1.com

# googleusercontent.com

# ggpht.com

# google-analytics.com

# connectivitycheck.gstatic.com

# android.clients.google.com

#

# Uncomment for Captive Portal login service.

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|11|connectivitycheck|07|gstatic|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for connectivitycheck.gstatic.com domain' -j DROP

#

# Google search/authorisation sites domain. There are a lot of host names there.

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|06|google|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for google.com domain' -j DROP

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|06|google|02|ru|00|' -m comment --comment 'Deny UID 0 DNS queries for google.ru domain' -j DROP

#

# These servers need for Google Play Market

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|0a|googleapis|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for googleapis.com domain' -j DROP

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|07|gstatic|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for gstatic.com domain' -j DROP

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|04|gvt1|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for gvt1.com domain' -j DROP

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|11|googleusercontent|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for googleusercontent.com domain' -j DROP

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|05|ggpht|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for ggpht.com domain' -j DROP

#

#

# Google Ad servers. 

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|10|googleadservices|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for googleadservices.com domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|0b|doubleclick|03|net|00|' -m comment --comment 'Deny UID 0 DNS queries for doubleclick.net domain' -j DROP

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|13|doubleclickbygoogle|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for doubleclickbygoogle.com domain' -j DROP

####

# IMHO - same shit.

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|10|google-analytics|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for google-analytics.com domain' -j DROP

####

# Other stuff

#

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|07|youtube|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for youtube.com domain' -j DROP

 iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|09|googlezip|03|net|00|' -m comment --comment 'Deny UID 0 DNS queries for googlezip.net domain' -j DROP

# #####

# Google`s mtalk(gtalk) domains

#

# -mtalk.google.com

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|2d|mtalk|06|google|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for *-mtalk.google.com domain' -j DROP

#

# mtalk.google.com

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|05|mtalk|06|google|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for *mtalk.google.com domain' -j DROP

#

# mtalk4.google.com

iptable -A $CHAIN --protocol udp --dport 53 -m owner --uid-owner 0 -m string --algo bm --hex-string '|06|mtalk4|06|google|03|com|00|' -m comment --comment 'Deny UID 0 DNS queries for mtalk4.google.com domain' -j DROP

#

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org