I have found that you can enable www access through a proxy server by inserting new iptables rules in Android. I have used it successfully to browse internet throughput the wifi at my office, it should be the same for school networks with proxy servers as well.
Requirements:
Root access
Kernel with iptable and netfilter support
Known working kernels:
Doomkernel v10
Have been tested on .368 firmware and Doomkernel v10, all iptable and netfilter modules are included in his kernel.
1. Open a terminal emulator or use a scripting app, I have been using ScriptManager.
2. Add iptables entry, root access is needed to manipulate the iptables.
Replace ip address and port in the --to parameter to match your own proxy server address
$ su
# iptables -t nat -A OUTPUT -p tcp -o wlan0 -d internal.ericsson.com -j ACCEPT
# iptables -t nat -A OUTPUT -p tcp -o wlan0 --dport 80 -j DNAT --to 153.140.40.150:3132
# iptables -t nat -L (to list newly added rule)
All apps will now connect to the proxy when accessing port 80
To remove iptables:
$ su
# iptables -t nat -F OUTPUT
You might see several error messages, they can be ignored
modprobe: module 'ip_tables' not found
getsocket for multiport failed strangely: No such file or directory
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:378
Please let me know if you know how to improve the ruleset and if other kernels are working as well.
Updated ruleset:
Have added additional rule to configure iptales to bypass proxy for intranet web addresses, it would otherwise try to open up intranet web pages trough the proxy server.
The easy way
http://forum.xda-developers.com/showthread.php?t=766569
w1000i said:
The easy way
http://forum.xda-developers.com/showthread.php?t=766569
Click to expand...
Click to collapse
Thanks for the url, have you tried it? Might give it a try but is sounds like it is just a frontend to manipulating the iptables, I prefer to change it myselft, that gives full flexibility to do whatever I wish with the iptables
Did give DroidProxy a try from the android marked but it did not seem to work which is why I started to setup the proxy manually in iptables.
---------- Post added at 10:08 AM ---------- Previous post was at 09:43 AM ----------
w1000i said:
The easy way
http://forum.xda-developers.com/showthread.php?t=766569
Click to expand...
Click to collapse
Found out that, the transporxy project has been discontinued and replaced with autoproxy which according to the forum members should work very well.
http://forum.xda-developers.com/showthread.php?t=1083284
It should work as long as multiports are not used as this is not included in Doomkernel v10. This only mean that you will have to add a seperate rule for each port you wish to forward ie. one for port 80 and one for port 443 instead of having both included in the same rule.
Upfronts: I'm using NottachTrix 1.3.1 with the 2.3.6 Webtop. I'm also a programmer and a network administrator, so I might be a little more comfortable poking around in things that might break my phone than other users. Don't do anything you aren't comfortable with! I'm just reporting my findings. Your phone, your comfort level, your business!
I wanted to get my new lapdock to use the cellular network without jumping through any "enable/disable mobile hotspot" hoops. I finally got all the webtop2sd stuff running, including a working lxterminal and synaptic. I was running synaptic as root from a bash shell ("sudo bash" to give me a root shell, other commands as needed). I noticed that synaptic worked without wifi but firefox didn't. I could also ping various websites with no trouble under the root shell, but the adas user could not. adas COULD ping IP addresses, though, so it seemed like there was a firewall in place that was blocking adas from resolving domain names.
As it turns out, there is a firewall in place that is blocking the adas user from resolving domain names.
Webtop seems to be using iptables to restrict access to the default login user. I typed "iptables -L" to view all the iptables-based firewalling that was going on. Sure enough, three entries existed to block network traffic for the user "adas". After an "iptables -S" to get the commands that were used to turn on the filtering, I was able to reverse the process. (Hint: -A adds a rule, -D deletes one)
From here, I could do a lot of things -- create a script to disable iptables on demand, block the commands from running in the first place, dance a happy little jig... I won't embarrass myself by revealing which I actually did, but hopefully there's enough in this post that will help others resolve their problems in a similar manner!
(By the way, every time the phone is docked, it re-blocks network access, apparently using a file called "syslog-restart".)
If you could fix this would be great, I have the same rom and everything and I use my LapDock in my business and it is always a pain to make it connect and most of the times it fails to connect for me.
Cheers
The following presumes a working lxterminal and synaptic (or apt-get). If you haven't run the webtopscripts to fix the broken dependencies, now's a good time to poke that bear*.
(Type the stuff that's in bold -- comments are in italics)
In lxterminal:
sudo apt-get install nano (Command-line text editor)
iptables -S (generates a list of rules that iptables is currently using)
copy any lines in the "-P OUTPUT ACCEPT" section that start with "-A"
create a new file in nano by typing nano fwdisable.sh
at the top of the new document, type #!/bin/bash and press Enter
paste the copied lines into the resulting screen
insert iptables at the start of each line and change "-A" to "-D" (A for add, D for delete)
once the file looks the way you think it should, exit the program with CTRL-X, saving the file when it asks
at the command prompt, type chmod 755 fwdisable.sh
run your new shell script with sudo ./fwdisable.sh
open up a web browser and enjoy!
* Please don't poke any bears. While they may look fluffy, they react poorly to being poked. There's probably a good metaphor about messing around in the internals of your phone in there somewhere, but for the life of me I just can't find it!
Did you guys can edit a ROM that has it all in a matter of WebTop, I can not make it work on my Atrix in any way.
I do not have the device only the HDMI cable.
Trying to save fwdisable.sh nano give me following error
"Error writing fwdisable.sh Read-only file system"
Please advise
pederb said:
Trying to save fwdisable.sh nano give me following error
"Error writing fwdisable.sh Read-only file system"
Please advise
Click to expand...
Click to collapse
Sounds like you're not root or su
Sent from my MB860 using Tapatalk 2
Ok the drive was write protected, but now I get
" ./fwdisable.sh: line 2: -D: command not found"
" ./fwdisable.sh: line 3: -D: command not found"
I was not able to get it to work with Nano so I used gedit instead but should not make a difference, right?
Any idea?
maybe someone can create a flashable fix so that its easy for some of us noobs lol
studean said:
The following presumes a working lxterminal and synaptic (or apt-get). If you haven't run the webtopscripts to fix the broken dependencies, now's a good time to poke that bear*.
(Type the stuff that's in bold -- comments are in italics)
In lxterminal:
sudo apt-get install nano (Command-line text editor)
iptables -S (generates a list of rules that iptables is currently using)
copy any lines in the "-P OUTPUT ACCEPT" section that start with "-A"
create a new file in nano by typing nano fwdisable.sh
at the top of the new document, type #!/bin/bash and press Enter
paste the copied lines into the resulting screen
insert iptables at the start of each line and change "-A" to "-D" (A for add, D for delete)
once the file looks the way you think it should, exit the program with CTRL-X, saving the file when it asks
at the command prompt, type chmod 755 fwdisable.sh
run your new shell script with sudo ./fwdisable.sh
open up a web browser and enjoy!
* Please don't poke any bears. While they may look fluffy, they react poorly to being poked. There's probably a good metaphor about messing around in the internals of your phone in there somewhere, but for the life of me I just can't find it!
Click to expand...
Click to collapse
Follow this guide guys, it is ridiculously easy, no flashing needed.
I also added a button to the AWN dock with the command:
sudo ./fwdisable.sh
Which will give you one click disabling of the firewall. It will restart the firewall each time you dock/undock it appears, so just dock it, click the firewall disable button and you are good to go.
Norcalz71 said:
Follow this guide guys, it is ridiculously easy, no flashing needed.
I also added a button to the AWN dock with the command:
sudo ./fwdisable.sh
Which will give you one click disabling of the firewall. It will restart the firewall each time you dock/undock it appears, so just dock it, click the firewall disable button and you are good to go.
Click to expand...
Click to collapse
Well I'm still getting my error no matter how many time I try it again
man i cant even get webtop2sd to work. as soon as i run it on my phone it force closes. i havent even got it to open longer then super user request yet.
fingers crossed on a cwm flashable lol.
Thanks for this. I was wondering why apt-get update would work but adas couldn't ping out properly over 3g.
Also, thank you for the walk through in editing iptables there. Interesting that they chose to use that over something more proprietary, or well hidden.
I had this problem at first, too -- I think it was busybox-related. There's a busybox updater or two in the Market (I mean, "Play Store") that will bring you up to speed and let you install webtop2sd.
Sorry it's been so long since my last post! It appears that you didn't insert an "iptables " before the "-D". Check to make sure that each line after the "#!/bin/bash" starts with "iptables -D" instead of just "-D" and see if that takes care of the problem. (Also make sure you execute the script with a "sudo" -- iptables won't work properly as a regular user...)
studean said:
Sorry it's been so long since my last post! It appears that you didn't insert an "iptables " before the "-D". Check to make sure that each line after the "#!/bin/bash" starts with "iptables -D" instead of just "-D" and see if that takes care of the problem. (Also make sure you execute the script with a "sudo" -- iptables won't work properly as a regular user...)
Click to expand...
Click to collapse
should it be,
iptables -D
or
-D iptables
[email protected]:/$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
FATAL: Could not load /lib/modules/2.6.32.56-MB860-faux123-GB-024/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.32.56-MB860-faux123-GB-024/modules.dep: No such file or directory
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 8086 -m owner ! --uid-owner adas -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 8085 -m owner ! --uid-owner adas -j REJECT --reject-with icmp-port-unreachable
This is how it looks before editing
It should be "iptables -D". Based on the output from your "iptables -S" command, the file should look like this:
Code:
#/bin/bash
iptables -D OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 8086 -m owner ! --uid-owner adas -j REJECT --reject-with icmp-port-unreachable
iptables -D OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 8085 -m owner ! --uid-owner adas -j REJECT --reject-with icmp-port-unreachable
I also had a third line (that escapes me at the moment -- I'm on a different machine) that further blocked access, but apparently there is a bit of variation in the configuration... At any rate, create the file using whatever text editor you feel most comfortable using, then "chmod 755" the file to make it executable. If you call it "fwdisable.sh", then you should type "chmod 755 fwdisable.sh" in lxterminal and run the file with "sudo ./fwdisable.sh" to disable the firewall.
Good luck! If you want to know more about the workings of this stuff, google "bash scripting guide" and (for a general overview) read the wikipedia page for "iptables". It will help you understand what's up with all these seemingly weird commands...
That worked, but now I get these error messages?
[email protected]:/$ sudo ./fwdisable.sh
FATAL: Could not load /lib/modules/2.6.32.56-MB860-faux123-GB-024/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.32.56-MB860-faux123-GB-024/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.32.56-MB860-faux123-GB-024/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.32.56-MB860-faux123-GB-024/modules.dep: No such file or directory
[email protected]:/$
Click to expand...
Click to collapse
Please advice
Cheers
You should be okay with those error messages. I'm not entirely sure WHY it's looking for that file, but it's "normal" output. If you'll remember, it's the same output you got in the "iptables -S" command... Something about accessing iptables causes the system to look for that file. (I just haven't been bothered enough over it to check yet...)
To verify, run "sudo iptables -S" again to see if there is anything left. You should just see three lines:
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Anything more than that and you might need to edit your script as you did before. If the output from "iptables -S" looks like the above, though, fire up firefox and give it a whirl!
studean said:
You should be okay with those error messages. I'm not entirely sure WHY it's looking for that file, but it's "normal" output. If you'll remember, it's the same output you got in the "iptables -S" command... Something about accessing iptables causes the system to look for that file. (I just haven't been bothered enough over it to check yet...)
To verify, run "sudo iptables -S" again to see if there is anything left. You should just see three lines:
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Anything more than that and you might need to edit your script as you did before. If the output from "iptables -S" looks like the above, though, fire up firefox and give it a whirl!
Click to expand...
Click to collapse
[email protected]:/$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
FATAL: Could not load /lib/modules/2.6.32.56-MB860-faux123-GB-024/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.32.56-MB860-faux123-GB-024/modules.dep: No such file or directory
-A OUTPUT -o ppp0 -m owner --uid-owner adas -j REJECT --reject-with icmp-port-unreachable
[email protected]:/$
Excellent! This means you're almost there! As before, copy/paste that line into your shell script, change the "-A" to "iptables -D" and that SHOULD be the end of it.
No, really. This time for sure. Just re-run the script when you're done (ignoring the "fatal" stuff) and you'll be browsing in no time!
Hi there people. I recently found an article about using a VPN set up along with routing tables to get tethering going using the phone in Hotsopt mode. Every thing is working well, but the one thing that I can't get going is to have the userinit.sh run at boot automatically.
The original poster said to put this text in the userinit.sh, and nothing else.
========================================================
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
========================================================
As I say I can execute this manually via root explorer, but can't get it to run automatically on boot. Thanks for any help with this.
Get ROM toolbox or something that runs scripts at boot
Thank you for your help. I will have a look at this app later and give it a go.
Hi there I have had chance to install Rom toolbox. I did the following, but still no luck:
main menu - scripter - add script (plus icon) - hit my userinit.sh and pressed to "set at boot icon". I rebooted the phone but the script did not work. I saw "access to interactive shell" from Rom toolbox popup, so something must have happened. Thanks for any more help.
Hi, Looking for help to update the M8 tether hack to work with lollipop on Sprint stock rooted ROM.
I was able to update the default.xml file ( sprint stock lollipop based) in the attached zip which enabled the hotspot and works great with 3g. The init.d tether script used to get LTE working in the zip worked great on kitkat when set correctly using SManager but it doesn't seem to work on lollipop as everyone is aware. I am not experienced enough to edit the tether script which I suspect is the issue with LTE and was hoping someone else here was. It's below and also attached in the zip file under system/etc/init.d which I am sure you know already. Of course it might be something much harder than a simple update of a script or it probably would have been done already....
(I can't attach the zip I was referring to since I haven't posted 10 posts yet but it's here)
http://forum.xda-developers.com/atta...9&d=1423894001
Thanks!
#!/system/bin/sh
iptables -F
iptables -A bw_FORWARD -i !lo+
iptables -A natctrl_FORWARD -j RETURN -i rmnet+ -o wlan0 -m state --state RELATED,ESTABLISHED
iptables -A natctrl_FORWARD -j DROP -i wlan0 -o rmnet+ -m state --state INVALID
iptables -A natctrl_FORWARD -j RETURN -i wlan0 -o rmnet+
iptables -A natctrl_FORWARD -j DROP
iptables -A natctrl_nat_POSTROUTING -t nat -o rmnet+ -j MASQUERADE
oh yeah, six pack of top shelf NW beer sent to the person that can get this working
robsoprano said:
Hi, Looking for help to update the M8 tether hack to work with lollipop on Sprint stock rooted ROM.
I was able to update the default.xml file ( sprint stock lollipop based) in the attached zip which enabled the hotspot and works great with 3g. The init.d tether script used to get LTE working in the zip worked great on kitkat when set correctly using SManager but it doesn't seem to work on lollipop as everyone is aware. I am not experienced enough to edit the tether script which I suspect is the issue with LTE and was hoping someone else here was. It's below and also attached in the zip file under system/etc/init.d which I am sure you know already. Of course it might be something much harder than a simple update of a script or it probably would have been done already....
(I can't attach the zip I was referring to since I haven't posted 10 posts yet but it's here)
http://forum.xda-developers.com/atta...9&d=1423894001
Thanks!
#!/system/bin/sh
iptables -F
iptables -A bw_FORWARD -i !lo+
iptables -A natctrl_FORWARD -j RETURN -i rmnet+ -o wlan0 -m state --state RELATED,ESTABLISHED
iptables -A natctrl_FORWARD -j DROP -i wlan0 -o rmnet+ -m state --state INVALID
iptables -A natctrl_FORWARD -j RETURN -i wlan0 -o rmnet+
iptables -A natctrl_FORWARD -j DROP
iptables -A natctrl_nat_POSTROUTING -t nat -o rmnet+ -j MASQUERADE
Click to expand...
Click to collapse
Why not post in the tether hack thread?
http://forum.xda-developers.com/showthread.php?t=2712222
'cause they required 10 posts which I now have
hi, please delete this thread, it has been added to this existing one:
http://forum.xda-developers.com/showthread.php?t=2712222&page=20
I used to be able to tether over wi-fi by connecting to an OpenVPN server, then activating the phone as a wi-fi hotspot, then running a script to route data traffic over the VPN. For some reason, this is not working anymore.
This is the script that used to work:
Code:
su -
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
When this didn't work I tried this script:
Code:
su -
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
But this isn't working either. If I connect the VPN, turn on the hotspot, and then run the script, I can't get the 2nd device to connect to wi-fi. If I connect the VPN, run the script, then turn on the hotspot, I'm able to connect, but the 2nd device does not get routed over the VPN (which defeats the purpose).
Is anybody doing this successfully and, if so, how are you doing it?
OK,
After some experimenting, I got this to work. For the benefit of anybody else trying to do this, here are the instructions that worked:
1. Turn on wi-fi hotspot on phone and connect from tethered device
2. Connect to your VPN (I use OpenVPN)
3. Using teminal emulator or other terminal program navigate to the location of the tether_routing .sh script
3. type su <cr>
4. type sh tether_routing.sh
Make sure you follow these steps in exactly this order!
Check to make sure your tethered device is actually connecting through the VPN (http://whatismyipaddress.com)
I changed the tether_routing.sh script slightly. For some reason, it seems to work better when 'su' is typed before running the script and not put in the script.
Code:
#!/system/bin/sh
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
Thank you for this! I have been trying to find a solution for a long time. I have an s6 now, but I'll try this weekend to see if it will work for me.
woody1 said:
OK,
After some experimenting, I got this to work. For the benefit of anybody else trying to do this, here are the instructions that worked:
1. Turn on wi-fi hotspot on phone and connect from tethered device
2. Connect to your VPN (I use OpenVPN)
3. Using teminal emulator or other terminal program navigate to the location of the tether_routing .sh script
3. type su <cr>
4. type sh tether_routing.sh
Make sure you follow these steps in exactly this order!
Check to make sure your tethered device is actually connecting through the VPN (http://whatismyipaddress.com)
I changed the tether_routing.sh script slightly. For some reason, it seems to work better when 'su' is typed before running the script and not put in the script.
Code:
#!/system/bin/sh
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
Click to expand...
Click to collapse
Thanks, I still couldn't get it to work. It is most likely user error, as I'm a bit of a newbie creating (copying/pasting/saving) scripts.
dave812 said:
Thanks, I still couldn't get it to work. It is most likely user error, as I'm a bit of a newbie creating (copying/pasting/saving) scripts.
Click to expand...
Click to collapse
You might try typing the commands into a terminal window one by one instead of putting them in a script. If you can get that to work, you can experiment with getting them to work in a script.
I found that in order for the script to work you need to convert the text file to unix format without the carriage return after each line. If you are creating the script in certain text editors in Windows there will be a carriage return.
Use this dos2unix utility to remove the carriage returns in the script and then it will work.
http://sourceforge.net/projects/dos2unix
uniphase said:
I found that in order for the script to work you need to convert the text file to unix format without the carriage return after each line. If you are creating the script in certain text editors in Windows there will be a carriage return.
Use this dos2unix utility to remove the carriage returns in the script and then it will work.
http://sourceforge.net/projects/dos2unix
Click to expand...
Click to collapse
You are correct about this script and this applies to any plain text file that's created in a Windows environment, then used on a Linux/Unix based system. I use Notepad++ on Windows which has an option to display and change the end-of-line style in use for a given file.
woody1 said:
OK,
After some experimenting, I got this to work. For the benefit of anybody else trying to do this, here are the instructions that worked:
1. Turn on wi-fi hotspot on phone and connect from tethered device
2. Connect to your VPN (I use OpenVPN)
3. Using teminal emulator or other terminal program navigate to the location of the tether_routing .sh script
3. type su <cr>
4. type sh tether_routing.sh
Make sure you follow these steps in exactly this order!
Check to make sure your tethered device is actually connecting through the VPN (http://whatismyipaddress.com)
I changed the tether_routing.sh script slightly. For some reason, it seems to work better when 'su' is typed before running the script and not put in the script.
Code:
#!/system/bin/sh
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
Click to expand...
Click to collapse
in this line>>>>> ip rule add from 192.168.43.0/24 lookup 61 <<<<<the ip is universal???
---------- Post added at 09:18 PM ---------- Previous post was at 08:48 PM ----------
I tried it with psiphon 113. I use ipleak.net btw and from my phone which is the device that share the connection it works as it should. But from the tablet which I connect through the phone I have DNS leak. The phone takes ip,dns from the vpn and the tablet gets only the ip but dns from Greece. It is also weird thst it doesn't take dns from Vodafone but generally dns from Greece... any ideas??