Hi there.
First and foremost, I am outside the USA. Since I've got my chromecast I have been using it to acess Netflix, Hulu Plus, Pandora et all using a firewall rule that I learned here at XDA Dev Forums.
This one: iptables -I PREROUTING -t nat -p udp -s (chromecast IP) --dport 53 -j DNAT --to-destination (your DNS)
With that being said, this morning I noticed that there was an update on Android and iOS adding DIAL support (Chromecast) to HBO GO.
I installed on both OSes and to my great surprise it didn't work on neither.
Here is the situation right now.
On android (s4 mini running 4.2) it fails to connect and asks me to try it later on. On the TV I only got a black screen.
On iOS running the latest iOS 7 it seems to connect, but there is only a black screen on my TV. If I try to play something, nothing happens, the TV continuous to have a black screen and on the ipad the title choosed to play never starts actually playing and stays there forever. If I hit disconnect on the ipad the chromecast returns to its home screen.
Is there anyone else experience this behaviour on Chromecast using the HBO GO app just released?
Please, let me know if this is a known bug or it is something else.
Best Regards
Is there anyone else experience this behaviour on Chromecast using the HBO GO app just released?
Please, let me know if this is a known bug or it is something else.
Click to expand...
Click to collapse
I am in the USA and HBO Go is working fine on my ' unrooted ' Chromecast. Have not tried it on my rooted one yet but in another post (KyoCast Post, Page 14) a user was reporting problems with his rooted Chromecast if I read things correctly.
Thanks for replying.
This just add to my suspicion that indeed the HBO GO app behaves differently than the previous one.
The thing is I dont have the resources to search throughly and neither the knowledge to discover why this is happening. I dont even own a Desktop PC anymore.
HBO GO works as it should be on my iPad, Android, Apple TV and Roku.
The issue is when it starts to casting. I only got a black screen.
This is not a rooted device. I've been using to bypass geo-blocking iptables rules only.
My hope is that later on someone else discover what exactly this HBO GO app is doing differently than all the others.
Of course it can be a sort of bug. I already contacted google to let them aware os this possible issue.
I had the same problem when I attempted to launch a movie without first starting it on my device. If I start playing on my device and then switch to the Chromecast it works fine. Before that it would seem like it wanted to load but did nothing or I got a communication error.
Edit...I have a rooted device but I don't think that should matter.
third son said:
I had the same problem when I attempted to launch a movie without first starting it on my device. If I start playing on my device and then switch to the Chromecast it works fine. Before that it would seem like it wanted to load but did nothing or I got a communication error.
Edit...I have a rooted device but I don't think that should matter.
Click to expand...
Click to collapse
I already tried that on my ipad. It doesn't work. If I fast-forward a title to an example 5 min in when a hit the cast button, my TV screen ends black and on the HBO GO app, the time of the title playing goes back to the start and stays there.
On the android side I cant do this attempt. When I hit the cast button, it keeps trying to connect for one minute or so until it pops up a message saying: Failed to connect to Chromecast. Please try again later.
Your discussion reminded me that I should actually be able to use HBO Go. Thanks! Will try it when I get home...
bhiga said:
Your discussion reminded me that I should actually be able to use HBO Go. Thanks! Will try it when I get home...
Click to expand...
Click to collapse
Please, would you be kind to confirm (perhaps with a picture) if the HBO GO app has a Welcome/Home screen like the other apps do?
I already contacted google on this but it will took a while to get "there". Perhaps my serial is blocked or something. The workaround with iptables should have been enough to circunvent geo-blocking. With the exception of HBO GO all other apps do.
BTW, my Chromecast was one of the earliest to be bought and shipped, my serial number starts with 362
I am convinced that somehow my Chromecast isnt talking with the HBO GO app.
No, mine does the same. I am in Canada as well. This whole Chromecast thing is starting to make me think its time to mothball it for a while. I'll just stick with my 2 Apple TV that don't require so many hoops.
Kryspy
HbbS said:
Please, would you be kind to confirm (perhaps with a picture) if the HBO GO app has a Welcome/Home screen like the other apps do?
Click to expand...
Click to collapse
Sorry for the delay, I took a nap...
Yes, HBO Go appears to have a "home" screen that displays when the app is connected but idle.
It's a black screen with just the HBO Go logo in the center.
Sorry for the poor picture, was trying to avoid excessive glare.
Kryspy said:
No, mine does the same. I am in Canada as well. This whole Chromecast thing is starting to make me think its time to mothball it for a while. I'll just stick with my 2 Apple TV that don't require so many hoops.
Kryspy
Click to expand...
Click to collapse
Been there...
There is hope. I bet that someone with the proper knowledge to investigate this, will find a workaround. I didn't heard back from Google about the possibility of this be a bug.
But with your post it is getting clear that this is in fact a geo-ip block of sorts happening on the HBO GO app side.
Maybe a possible workaround will be to redirect the exactly IP or IPs the HBO GO app is using to independtly check for geo-block.
I dont have the exactly knowledge to do just that but I looked into the traffic in my network while using HBO GO in cast mode and there is some HBO GO IPs in action and then the traffic stops completely with the HBO GO side.
Could anyone here with more knowledge have a look into it?
bhiga said:
Sorry for the delay, I took a nap...
Yes, HBO Go appears to have a "home" screen that displays when the app is connected but idle.
It's a black screen with just the HBO Go logo in the center.
Sorry for the poor picture, was trying to avoid excessive glare.
Click to expand...
Click to collapse
Thank you bhiga.
It is getting clear by the minute that this is a geo-block in action.
I know that this could seems a minor issue right now, because HBO GO (US) subscriptions, outside the USA is something restrict, but the thing is the possibility of this reinforcement policy on the application side to be used as a norm for future apps or even updated versions of the ones already working is troublesome for everyone.
I think you're redirecting your Chromecast's DNS requests through your ISP, rather than Google's DNS,
But I'm running PwnedCast which lets my Chromecast use my DHCP-supplied DNS, so DNS-wise both our Chromecasts are using ISP-supplied DNS.
HBO Go works for me, and doesn't for you.
At least that means HBO Go isn't reliant on the Google DNS specifically...
Then again, I'm also running KyoCast which bypasses the Google app gateway...
Will have to wait to hear from someone outside of the US with a rooted Chromecast to report in, but my current guess is that the Google app gateway is detecting where you're coming from. If that's the case, then this definitely could be extended to future applications, essentially applying a Geo-IP block at the application level, rather than just the DNS level.
This is my iptable script (I have 2 chromecasts), Static IP for both, running DD-WRT. Unotelly DNS servers are setup as my default DNS in my router.
iptables -I PREROUTING -t nat -p udp -s 192.168.1.125 -d 8.8.4.4 --dport 53 -j DNAT --to-destination 192.168.1.1
iptables -I PREROUTING -t nat -p udp -s 192.168.1.125 -d 8.8.8.8 --dport 53 -j DNAT --to-destination 192.168.1.1
iptables -I PREROUTING -t nat -p udp -s 192.168.1.130 -d 8.8.4.4 --dport 53 -j DNAT --to-destination 192.168.1.1
iptables -I PREROUTING -t nat -p udp -s 192.168.1.130 -d 8.8.8.8 --dport 53 -j DNAT --to-destination 192.168.1.1
I too just get the blackscreen on HBO Go. I am in Canada. Hulu Plus, Netflix US and Pandroa all work fine.
Kryspy
Kryspy said:
This is my iptable script (I have 2 chromecasts), Static IP for both, running DD-WRT. Unotelly DNS servers are setup as my default DNS in my router.
iptables -I PREROUTING -t nat -p udp -s 192.168.1.125 -d 8.8.4.4 --dport 53 -j DNAT --to-destination 192.168.1.1
iptables -I PREROUTING -t nat -p udp -s 192.168.1.125 -d 8.8.8.8 --dport 53 -j DNAT --to-destination 192.168.1.1
iptables -I PREROUTING -t nat -p udp -s 192.168.1.130 -d 8.8.4.4 --dport 53 -j DNAT --to-destination 192.168.1.1
iptables -I PREROUTING -t nat -p udp -s 192.168.1.130 -d 8.8.8.8 --dport 53 -j DNAT --to-destination 192.168.1.1
I too just get the blackscreen on HBO Go. I am in Canada. Hulu Plus, Netflix US and Pandroa all work fine.
Kryspy
Click to expand...
Click to collapse
My iptables setup is almost identical. Except for two chromecasts. I do also use Unotelly.
I am " kind of glad" to see someone else having this issue. We need to research a way to bypass this. It must be a way.
It is certainly done by IP. We need to redirect these IPs to our DNS of choice.
Your Cromecasts are rooted or do you use kyocast?
My firmware is already the latest one, but I remember reading somewhere that some chromecasts with old serial numbers can be rooted.
My serial number starts with 326.
I never attempted to root it. In fact I dont even own a PC/notebook anymore.
For me this issue is a real pain. Of all apps HBO GO was the one I eager the most.
Neither of my Chromecasts are rooted. Just having the same problem as you are with HBO GO. Luckily I never got rid of my Apple TVs. Both of them are back in service and I even got PlexConnect set up on them once more.
The Apple TV are proving to be far more useful to me at the moment.
I think the answer may lie in the hardcoded Google DNS. The app refuses any stream originating from anywhere else other than the Google DNS.
Kryspy
@HbbS since your Chromecast is already on the latest firmware it's no longer root-able, though it probably was fresh out of the box, sorry.
@Kryspy my Chromecasts are using my ISP's DNS thanks to PwnedCast, and my HBO Go works, but I'm in the US.
So I think there's regional split somewhere else on the path. Maybe there's a secondary lookup or call back somewhere.
bhiga said:
@HbbS since your Chromecast is already on the latest firmware it's no longer root-able, though it probably was fresh out of the box, sorry.
@Kryspy my Chromecasts are using my ISP's DNS thanks to PwnedCast, and my HBO Go works, but I'm in the US.
So I think there's regional split somewhere else on the path. Maybe there's a secondary lookup or call back somewhere.
Click to expand...
Click to collapse
bhiga,
Good point about them working with your ISP DNS. Must be something else then.
Kryspy
I've finally heard back from Google. But I doubt it will come to any help.
Here it is: Thank you for contacting Google! There is an ongoing issue with that router. Your IGMP proxy needs to be disabled in your router settings and you would need to contact Verizon for further assistance.
Well, obviously I am not a Verizon client myself. There is little help here, at least I think. Or could I be wrong?
Kryspy, bhiga and to everyone else that participated
That is it!
A couple of days ago I decided to take a shot and wrote to Unotelly explaining what I thought was happening about this situation with HBO GO on Chromecast.
They really took the time to read my long email and decided to research it.
Today they asked me to make another try and it is indeed working. It needs a little bit of speed improvement using the Chromecast. But maybe it is a software issue. I remember when the Hulu Plus support was added it was a little slower.
So, here it is. Finally it is working!
I wish to make an acknowledgment to Unotelly Customer Support, they really surprised me this time.
As a customer the thing I value the most it is to be taken seriously. Congrats.
Alright!! Great to see you found a solution.
I wonder if Unlocator and other DNS-abstraction services will need to make similar changes to allow HBO Go.
Related
hi all,
hope you can help me with this question.
how can i set up an SSH tunnel on the kindle and change system proxy to point to localhost:8080 ?
i am outside the US but have a netflix account that would like to access. normally i would just tunnel into my US webhost, set global proxy to localhost:80 for webrequests and netflix would see me with a US IP.
i have tried various things using the app SSH Tunnel but it does not seem to establish a connection.
connectbot runs fine and connects the server in ssh so i am just looking for a way to establish the tunnel. this should probably work via a terminal using ssh -p 22 -L 8080:localhost:3128 -l user hostname.com... or something alike.
that still leaves me with the question on how to change the global proxy?
i cant find anything in the settings and am too new to the whole android infrastructure. i m sure this is located in a file some where, no?
has anyone managed to get this to work some how?
i dont really want to use an app like hotspotshield or the likes because usually they cant cope with the streaming bandwidth or require you to pay for a premium account.
why pay when i am paying for my webhost already, right ?
edit: update
can now open and connect ssh to my server after installing droidssh and copying the ssh command to system/bin
using a terminal emulator i can ssh but the tunnel fails. ssh: failed local port forward (null):8080
not very firm with the commands but i used: ssh -p 22 -L 8080:localhost:3128 -l username hostname
i also realised i can set "global" proxy settings via the wireless connection. this seems to be working fine but i think i m screwing up the ssh command
Ok so a while back I discovered that after you gain root access to the BIONIC (probably works with other too. idk...) you can make changes to iptables. For those who don't know what that is: It's a built in firewall that handles packets as they come in and leave your phone. This is pretty much the defacto standard for any Linux machine to date (please enlighten me if I'm wrong). Anyhow, after discovering this I came up with an idea to see if I could pipe my hotspot directly into my openvpn tunnel. Well, after a bit of web research on how iptables works I was able to get it up and running. HOWEVER I'm not an expert at this yet, and my config definitely has a flaw in the fact that I leave the phone completely vulnerable on the "rmnetX" interface, as I completely flush the old tables to add mine, leavign the firewall WIDE OPEN. I'll post a fix as soon as I can come up with one. In the mean time here's the steps to take to get your phone to be a hotspot access point to your openvpn network!
**PHONE MUST HAVE ROOT!!!!***
1) Follow along and setup an OpenVPN server http://openvpn.net/howto.html
2) Install "OpenVPN Installer" and "OpenVPN settings" from Google Play marketplace (both are free)
3) Run OpenVPN Installer and install OpenVPN client to your phone. The defaults should be fine.
4) Create a folder called "openvpn" ont he root of your INTERNAL sdcard. IE "/sdcard/openvpn
5) Copy your client keys that you made during your OpenVPN setup to your phone into the /sdcard/openvpn directory (client.crt, client.key, ca.crt, and ta.key)
6) Copy over the client.conf file as well. You will need to tweek this a bit to call your certs from the /sdcard/openvpn file as well as putting in the public IP to connect to. Keep in mind if you are doing this at home you will need to PAT/NAT this connection accross your firewall on udp port 1194.
7)Ok, at this point you just want to make sure your OpenVPN connection works. So open up OpenVPN settings and try and connect to your VPN, if you can connect and brows to shares inside your network over the 4g connection EXCELENT! MOVE ON! If not refer to the OpenVPN HOW TO!!!
8) After that's done you neet to get the Verizon HotSpot Tether working, There's a hack for it on the web. Google "BIONIC Hotspot SQLite Editor"... in the mean time I'll try and walk you through it.
a) get SQLite Editor from Google Play
b) open it and scroll down to "Settings Storage" (the one with the hammer icon), open "settings.db", then click settings. You should see a long list of database entries. Click the magnifying glass and under "Filter Value" type "check".
c) you should then see 4 results, one being "entitlement_check". Long press on the "1" next to "entitlement_check". Click "Edit Field" and change the "1" to a "0".
d) Reboot and try running the stock "Hotspot" app, it should work now!
9) Run the Hotspot app and confirm it works properly and can connect clients.
10) After you have a working Hotspot and a work OpenVPN you can then start the iptables magic!!!
**This is fairly safe, no need to worry about bricking just reboot if you screw up!***
11) Download and install "Android Terminal Emulator" and run it.
12) at the prompt type in "su" to gain super user access
13) you should now be at a root shell ("#") NOT $
14) at the prompt(#) type this: iptables -S <-This shows you the entire iptables rules, as you can see it's crazy complicated!
15) Run OpenVPN and Hotspot and confirm both are connected and runnign before issuing rule changes in iptables. So run both applications now.
16) Confirm VPN is connected and Hotspot is runnign by issuing the command "busybox ifconfig". If your VPN is up you will have a "tun0" interface and if the Hotspot is up there should be a "wlan1" interface.
17) If both are up then all you need to do in order to give hotspot clients access to your VPN resources is this:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i tun0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan1 -o tun0 -m state --state INVALID -j DROP
iptables -A FORWARD -i wlan1 -o tun0 -j ACCEPT
The first 10 commands flush your old iptables, and the last 3 commands masqarade your wlan1 interface to your tun0 interface, funneling your clients down the VPN. Keep in mind that you will have to allow this via your openvpn server.conf file. See HOWTO For OpenVPN.
Enjoy!!!
I am confused and would like to know why we want net on VPN if we have WiFi hack for a router
Could Could we link a com port on bochs emulated windows xp?
With the WiFi hack edit or tether for root user you can use this IP addr add like below to add router capabilities, or change wlan0 to your phone's 4g rmnet or tun0 to add router to any connection, can you tell us what we would use VPN for give an example
su
ip addr add 192.168.1.0/24 dev wlan0
http://www.filedropper.com/comgooglecodeandroidwifitether-1
I use this apk to wifi tether, same as wifi router, will probably need root to use it I am not sure, but you dont need to type: ip addr add 192168.1.0/24 dev wlan0, I do just because it helps make good connections for most wifi devices
This will make your WiFi capable of being used as a router, you still need root WiFi tether or the hotspot hack like you posted but this makes wlan0 a router
I mainly use this to share files that I have on my NAS at home with friends at work. First I create a hot spot, then I connect my VPN, then I masquerade the traffic. On the server side my openvpn configuration is set up so that it trusts a specific subnet coming from behind the openvpn host (IE my phone's hotspot subnet) This provides a nice and easy means of giving friends controlled access via your mobile hotspot without needing to generate RSA keys for each of your friends. Another thing I like to use it for is when I travel I just set it up in the corner and watch movies from home on my laptop over the VPN through the hotspot.
-Ed
DroidisLINUX said:
I am confused and would like to know why we want net on VPN if we have WiFi hack for a router
Could Could we link a com port on bochs emulated windows xp?
With the WiFi hack edit or tether for root user you can use this IP addr add like below to add router capabilities, or change wlan0 to your phone's 4g rmnet or tun0 to add router to any connection, can you tell us what we would use VPN for give an example
su
ip addr add 192.168.1.0/24 dev wlan0
http://www.filedropper.com/comgooglecodeandroidwifitether-1
I use this apk to wifi tether, same as wifi router, will probably need root to use it I am not sure, but you dont need to type: ip addr add 192168.1.0/24 dev wlan0, I do just because it helps make good connections for most wifi devices
This will make your WiFi capable of being used as a router, you still need root WiFi tether or the hotspot hack like you posted but this makes wlan0 a router
Click to expand...
Click to collapse
edw00rd said:
I mainly use this to share files that I have on my NAS at home with friends at work. First I create a hot spot, then I connect my VPN, then I masquerade the traffic. On the server side my openvpn configuration is set up so that it trusts a specific subnet coming from behind the openvpn host (IE my phone's hotspot subnet) This provides a nice and easy means of giving friends controlled access via your mobile hotspot without needing to generate RSA keys for each of your friends. Another thing I like to use it for is when I travel I just set it up in the corner and watch movies from home on my laptop over the VPN through the hotspot.
-Ed
Click to expand...
Click to collapse
Or you could get Qloud Media Server, and be able to assign access to different sets of folders in your home network using username/passwords. And it costs $3.00 or $0.00 if you have a getjar pass.
This is a really cool idea, thanks for sharing.
On a somewhat unrelated note, is the VirtualBox method still the preferred means of rooting a Bionic on 4.1.2 (98.72.22)? Trying to figure out how easily I can root a friend's phone but I can't really find any consolidated source of up-to-date information. =\
TweakerL said:
Or you could get Qloud Media Server, and be able to assign access to different sets of folders in your home network using username/passwords. And it costs $3.00 or $0.00 if you have a getjar pass.
Click to expand...
Click to collapse
I think you might be confusing folder access/authentication with network access/authentication. The VPN would give you access to your network remotely via 4g/3g and yes i suppose you could use the Qloud Media Server to provide access to folders. I'm not really sure what that is, never used it but it sounds like something that provides a service via 3rd party to get access to you remotely. The third party is avoided all together witht he VPN solution. You don't have to give any sort of ingress access to any third party app. You're phone will think it's part of your home network. Also someone asked about having network bridged when you have a wifi hack... it would be purely up to you weather or not you'd want your HTTP traffic to go through the VPN or not... that's different than what I'm providing here. This is strictly for using your phone as a WiFi hotspot router that forwards all of your traffic to your VPN connection (IE your house) so that connected wifi clients would be accessable via your home network and visa versa. You could also just make a VPN hotspot and generate RSA keys for each host connecting to the hotspot.... your choice. Mine works better in a way that I maintain constant view over every device including the phone that is acting as the VPN mifi hotspot.:silly:
how to undo this? i cant connect my hotspot.
Using the already available information on the internet and a few threads of this XDA forum, I figured out how to get Netflix working in Switzerland, without having to use a VPN service.
DISCLAIMER: This is not a replacement for a VPN service and its functionality, but an alternative way to use geoblocked websites outside their origin countries. This workaround needs you to have either a DD-WRT router or atleast a router on which you can configure iptables via CLI.
Sign up for the free beta at Unlocator
You will need admin access to your home router. Connect to this router via web interface or command line whichever is applicable.
Follow Setup Guides for Multiple Devices and setup your home router with the Unlocator DNS IPs
Follow How to Setup DD-WRT to Work With Chromecast
I didn't have a DD-WRT router but with admin access I could use the commands in the previous step on the command line of my TP-Link W8960N router.
You can replace the DNS IPs in these commands with any other service that you are using for eg. Unblock-US
Code:
iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 185.37.37.37
iptables -t nat -A PREROUTING -d 8.8.4.4 -j DNAT --to-destination 185.37.37.185
Edit: Due to some problems with newer Netflix app versions on the Chromecast build 19084 these iptables rules seem to be a better option. They redirect only DNS requests made to Google servers to the server of your choice
Code:
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 185.37.37.37
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 185.37.37.37
Try playing any Netflix content in the Chrome browser, and use the Netflix player's Chromecast button to cast your content. It will work without any issues as your Chromecast will be able to bypass having to query Google's DNS and query Unlocator's DNS.
You can now try the same from any Android or iOS device using the appropriate Netflix app. (You can find the Netflix apk here)
Happy Netflixing! :highfive:
Here are detailed and confirmed working steps to:
Configure a router running Tomato firmware.
Configure a router running OpenWRT firmware
rufree2talk said:
Using the already available information on the internet and a few threads of this XDA forum, I figured out how to get Netflix working in Switzerland, without having to use a VPN service.
DISCLAIMER: This is not a replacement for a VPN service and its functionality, but an alternative way to use geoblocked websites outside their origin countries. This workaround needs you to have either a DD-WRT router or atleast a router on which you can configure iptables via CLI.
Sign up for the free beta at Unlocator
You will need admin access to your home router. Connect to this router via web interface or command line whichever is applicable.
Follow How to Setup DD-WRT to Work With Chromecast
I didn't have a DD-WRT router but with admin access I could use the commands in the previous step on the command line of my TP-Link W8960N router.
Use a free VPN service like Tunnelbear on your Android/iOS device or PC/Mac to connect to Netflix and setup your account. You can use any Credit Card as long as you provide the correct name and verification code. You can use any random USA based ZIP code.
I went ahead and created another iptables rule to force using Unlocator's DNS for all DNS queries via my router, hence making the need for this VPN step redundant. I can now access netflix.com without any VPN connection.
Try playing any Netflix content in the Chrome browser, and use the Netflix player's Chromecast button to cast your content. It will work without any issues as your Chromecast will be able to bypass having to query Google's DNS and query Unlocator's DNS.
You can now try the same from any Android or iOS device using the appropriate Netflix app. (You can find the Netflix apk here)
Happy Netflixing! :highfive:
Click to expand...
Click to collapse
WOW,
I can confirm that this works from Norway!
Thanks a a lot for the tips about unlocator. Have not heard about them before.
Jo Christian
jochr said:
WOW,
I can confirm that this works from Norway!
Thanks a a lot for the tips about unlocator. Have not heard about them before.
Jo Christian
Click to expand...
Click to collapse
Thanks for confirming this! Glad to know it worked for you. Even I chanced upon Unlocator by a Google search on DNS spoofing. I think they are quite new as the Beta channel was launched just around the end of July this year.
Free vpn through netherlands
Username:free
Password:1492
Sent from my SPH-L720 using xda app-developers app
Works out of the box from Denmark
Chromecast netflix works out of the box from Denmark, subtitles and everything. Is it because you use a US Netflix instead of a local one?
xylifyx said:
Chromecast netflix works out of the box from Denmark, subtitles and everything. Is it because you use a US Netflix instead of a local one?
Click to expand...
Click to collapse
Well that is because Netflix has a Danish website to begin with. I am located in Switzerland, where there is no Netflix or anything even remotely similar.
Even then, if at any time you feel that the content on the Danish Netflix is outdated as compared to the USA Netflix, you could use the information in the first post to access the USA Netflix. I heard Netflix launched in Netherlands today, but it doesn't have a lot of latest content especially for TV shows.
As a matter of fact, if you have an Unlocator account, you can switch to any country's Netflix, by just selecting it from your Channel Settings page
Why not use the orbot method? Works for me, but must be roooted. Just turn on orbot on your phone or tablet and use any geoblocked app you want. Have to set the specific exit nodes for the us, but after the setup everything runs smoothly. I prefer this method that way i choose which apps use orbot and avoid bouncing private info off unknown servers. The only is when using netflix through orbot I get no cast button.
I'm usina netflix Brazil without VPN
Sent from my C6503 using Tapatalk 4
vinaaa said:
I'm usina netflix Brazil without VPN
Click to expand...
Click to collapse
Well congratulations to you! On the other hand being able to access Netflix Brazil while sitting in São Paulo ain't much of a mean feat :silly:
This tutorial is meant for two kinds of people:
users like myself who happen to be in a country where Netflix isn't available
users like you who happen to be in a Netflix supported country, but would like to access the Netflix content of another country
Entende? :highfive:
rufree2talk said:
Well congratulations to you! On the other hand being able to access Netflix Brazil while sitting in São Paulo ain't much of a mean feat :silly:
This tutorial is meant for two kinds of people:
users like myself who happen to be in a country where Netflix isn't available
users like you who happen to be in a Netflix supported country, but would like to access the Netflix content of another country
Entende? :highfive:
Click to expand...
Click to collapse
Don't know why you are having that attitude, but I appreciate his comment. I'm outside the US and Chromecast supposedly only worked with Netlfix US. Glad to know its not the case.
mayhemrules said:
Don't know why you are having that attitude, but I appreciate his comment. I'm outside the US and Chromecast supposedly only worked with Netlfix US. Glad to know its not the case.
Click to expand...
Click to collapse
Not true. I have Netflix Dom Rep (and currently reside in the Dom Rep.) and chromecast works fine. The problem is when I use orbot to access Netflix US. No chromecast button. Must be a conflict between the Orbot Ip and my ISP/modem ip
I can't access signup.Netflix.com and android app doesn't open when using Unlocator DNS servers.
EDIT: Ok, got the Android app working. Had to use VPN to sign up, after that it works. Now need to get my router setup for Chromecast. Thanks for the guide rufree2talk!
poisike said:
I can't access signup.Netflix.com and android app doesn't open when using Unlocator DNS servers.
EDIT: Ok, got the Android app working. Had to use VPN to sign up, after that it works. Now need to get my router setup for Chromecast. Thanks for the guide rufree2talk!
Click to expand...
Click to collapse
You're welcome! As a matter of fact, I have written the guide very poorly. If you would have setup your router to begin with, you wouldn't have needed the VPN step to sign up for Netflix. You would have been able to access Netflix without a VPN, sign up and directly Netflix content!
Thanks, a small query
rufree2talk said:
Using the already available information on the internet and a few threads of this XDA forum, I figured out how to get Netflix working in Switzerland, without having to use a VPN service.
DISCLAIMER: This is not a replacement for a VPN service and its functionality, but an alternative way to use geoblocked websites outside their origin countries. This workaround needs you to have either a DD-WRT router or atleast a router on which you can configure iptables via CLI.
Sign up for the free beta at Unlocator
You will need admin access to your home router. Connect to this router via web interface or command line whichever is applicable.
Follow How to Setup DD-WRT to Work With Chromecast
I didn't have a DD-WRT router but with admin access I could use the commands in the previous step on the command line of my TP-Link W8960N router.
Use a free VPN service like Tunnelbear on your Android/iOS device or PC/Mac to connect to Netflix and setup your account. You can use any Credit Card as long as you provide the correct name and verification code. You can use any random USA based ZIP code.
I went ahead and created another iptables rule to force using Unlocator's DNS for all DNS queries via my router, hence making the need for this VPN step redundant. I can now access netflix.com without any VPN connection.
Code:
iptables -t nat -A PREROUTING -d 192.168.1.1 --dport 53 -j DNAT --to-destination [Unlocator's_DNS_IP]
Try playing any Netflix content in the Chrome browser, and use the Netflix player's Chromecast button to cast your content. It will work without any issues as your Chromecast will be able to bypass having to query Google's DNS and query Unlocator's DNS.
You can now try the same from any Android or iOS device using the appropriate Netflix app. (You can find the Netflix apk here)
Happy Netflixing! :highfive:
Click to expand...
Click to collapse
Hi Thanks so much for this important post.
Can you please help or suggest what DNS codes I should use in India ?
Regards,
Gunjan
gunjandubey said:
Can you please help or suggest what DNS codes I should use in India ?
Click to expand...
Click to collapse
India or wherever, you should be using the DNS IPs of the service that you are using. Did you sign up for the Unlocator beta? If so, then you should be using Unlocator's DNS IPs (primary 50.112.186.233 and secondary 50.112.143.40)
Does "tomato" or "gargoyle" third party firmware on wndr3800 allow you to do this?
Nbsss said:
Does "tomato" or "gargoyle" third party firmware on wndr3800 allow you to do this?
Click to expand...
Click to collapse
Yes I believe it will... this method will work with DD-WRT, Tomato, Gargoyle or any other firmware which gives you proper control of your router... I am not sure what manufacturer/make is the WNDR3800 but if it has a compatible Tomato image you can very well flash it and use this procedure.
Sent from my Galaxy Nexus using Tapatalk 4
rufree2talk said:
Yes I believe it will... this method will work with DD-WRT, Tomato, Gargoyle or any other firmware which gives you proper control of your router... I am not sure what manufacturer/make is the WNDR3800 but if it has a compatible Tomato image you can very well flash it and use this procedure.
Sent from my Galaxy Nexus using Tapatalk 4
Click to expand...
Click to collapse
Cheers, I've flashed countless android phones but never a router. But I'd change the firmware just for this. Hopefully I don't brick it, should arrive in 3-5 days.
I heard good things about gargoyle, might give that one a try.
Anyone have any tips before I give it a go?
rufree2talk said:
Yes I believe it will... this method will work with DD-WRT, Tomato, Gargoyle or any other firmware which gives you proper control of your router... I am not sure what manufacturer/make is the WNDR3800 but if it has a compatible Tomato image you can very well flash it and use this procedure.
Sent from my Galaxy Nexus using Tapatalk 4
Click to expand...
Click to collapse
Big thanks for this, I really appreciate it, but can you please tell me what to look for in Tomato firmware to enable the method you mentioned.
Thanks again,
basboss said:
can you please tell me what to look for in Tomato firmware to enable the method you mentioned
Click to expand...
Click to collapse
I do not have a Tomato router, but the documentation is very easily available on the internet at Tomato Firmware/Menu Reference
Connect to your Tomato router at http://192.168.1.1 as root user:
Go to Basic --> Network --> LAN --> Static DNS and configure Unlocator's DNS IPs (50.112.186.233 and 50.112.143.40) in the first two text boxes
Go to Advanced --> DHCP/DNS --> DNSmasq Custom Configuration and type strict-order in the text box
Go to Administration --> Scripts --> Firewall and add the two lines
Code:
iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 50.112.186.233
iptables -t nat -A PREROUTING -d 8.8.4.4 -j DNAT --to-destination 50.112.143.40
Save and reboot your router and test whether you are able to open any Geoblocked website for eg. http://signup.netflix.com
TL;DR
My ChromeCast was happily using Unblock US for Netflix for months. It stopped working on Friday. Is it a general problem, or is it just with my setup?
The long version:
I got my ChromeCast before Christmas, and I've been happily using it with multiple Netflix regions using Unblock US. On Friday I started getting the "We're having trouble playing this title" error on some titles, and it looks like my ChromeCast can no longer access non-UK titles.
It worries me that this coincides (sortof) with the official availability of ChromeCast in the UK, and I'm wondering if they've released a new build or service which prevents the use of services like Unblock US.
My ChromeCast is using build 16278 (with a worrying 'Country code GB' that I never noticed before). I'm intercepting access to Google's DNS on my router using the following iptables commands:
iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 208.122.23.22
iptables -t nat -A PREROUTING -d 8.8.4.4 -j DNAT --to-destination 208.122.23.23
And as I said, these have been working fine for months. I'm also fairly confident that they're still OK, because I've set my tablet to use 8.8.8.8 as the DNS and it can access Netflix US content just fine.
So, my questions:
1. Is there anyone else in the UK using Unblock US to access Netflix using official ChromeCast build 16278? Is it still working for you? (If you want a particular title to try, Supernatural season 6 episode 13 is the one that I first noticed the problem with, although many titles refuse to play.)
2. If it's not working for you either, do you know why?
3. If it is working for you, what should I try next? (I've already done a factory reset, and that didn't make a difference.)
I've been happy with Unblock US but I'm equally happy to move to a different provider if there's a better one.
(I hope this is the right forum - it's where ChromeCast region settings and use of iptables have been discussed in the past. I'm a bit worried that the forum says I'm breaking the rules by asking a question, so if there's a better place for this post please don't be offended by my ignorance and please do let me know!)
Many thanks.
Uh oh. You say you have build 16278? That's new. My U.S. Netflix access still works, but I'm still on build 16041.
Maybe there's no cause for concern yet. The new Country Code was there in build 16041, and in any case I would think it's the Netflix app that would have to change to cause a problem rather than the Chromecast build. But obviously there should be some re-testing with build 16278 as it rolls out. Netflix could have already changed their app, but made it dependent on build 16278 or higher since everyone is going to get that sooner or later.
Regardless of the current situation, long term this Country Code is clearly going to be a problem. It can probably be solved by the DNS proxy services eventually, but until then I wouldn't be buying a Chromecast to use from outside the U.S..
DJames1 said:
Uh oh. You say you have build 16278? That's new. My U.S. Netflix access still works, but I'm still on build 16041.
Maybe there's no cause for concern yet. The new Country Code was there in build 16041, and in any case I would think it's the Netflix app that would have to change to cause a problem rather than the Chromecast build. But obviously there should be some re-testing with build 16278 as it rolls out. Netflix could have already changed their app, but made it dependent on build 16278 or higher since everyone is going to get that sooner or later.
Regardless of the current situation, long term this Country Code is clearly going to be a problem. It can probably be solved by the DNS proxy services eventually, but until then I wouldn't be buying a Chromecast to use from outside the U.S..
Click to expand...
Click to collapse
I expect we had better get used to this breakage with things like Netflix due to the fact that Google does a tiered rollout of updates and the Apps must also be updated to work with those new updates from time to time.
Netflix I think may be particularly susceptible because I suspect the Netflix Player app may actually be embedded in the device. It's the only app that does not have a LINK in the App list CCast uses to retrieve players.
Perhaps someone from Team Eureka can comment and confirm if that is true or not.
But what seems to be a pattern is Google releases an update, Something breaks and then you see a flood of CCast compat app updates a week or so later. Hopefully once the CCast OS is more mature this breakage will happen less frequently.
Just wanted to point out, sometimes if you change settings on your router or the connection is disrupted randomly, the iptables may get reset and stop intercepting Chromecast DNS requests. Rebooting the router to start the script again helps.
Sent from my Nexus 5 using Tapatalk
Asphyx said:
Netflix I think may be particularly susceptible because I suspect the Netflix Player app may actually be embedded in the device. It's the only app that does not have a LINK in the App list CCast uses to retrieve players.
Perhaps someone from Team Eureka can comment and confirm if that is true or not.
Click to expand...
Click to collapse
One of them said that Netflix was a separate binary and the only exception to running in a Chrome sandbox, so seems that is the case. It could still be cleverly coded so it wouldn't require a full update unless there was a low level or architecture change.
Asphyx said:
But what seems to be a pattern is Google releases an update, Something breaks and then you see a flood of CCast compat app updates a week or so later. Hopefully once the CCast OS is more mature this breakage will happen less frequently.
Click to expand...
Click to collapse
Yup... even with the forced updates there's still a period of time when there are units on both old and new versions, DNS caches haven't been updated, etc.
RandomUser6 said:
TL;DR
1. Is there anyone else in the UK using Unblock US to access Netflix using official ChromeCast build 16278? Is it still working for you? (If you want a particular title to try, Supernatural season 6 episode 13 is the one that I first noticed the problem with, although many titles refuse to play.)
Click to expand...
Click to collapse
Yes - though my CC still says country code US.Tried the Supernatural episode as well and that worked too.
RandomUser6 said:
3. If it is working for you, what should I try next? (I've already done a factory reset, and that didn't make a difference.)
Click to expand...
Click to collapse
I'm sure you probably already done this but have you checked your current external IP Address is active on the unblock-us website?
Some updates
Hi all,
Many thanks for all your responses. Some updates:
I checked the external IP address was active on Unblock US, and it was.
I restarted the router, the ChromeCast and the tablet. It made no difference.
I did another factory reset on the ChromeCast. It made no difference.
I managed to change the Country Code to US. It made no difference.
So I still have the problem and I’m not sure what the differences between my setup and Pully’s are.
The Country Code change is worth a bit more explanation. You all may already know this, or know how this mechanism works, but I didn’t.
* After a factory reset, I couldn’t see the ChromeCast on my tablet to set it up. I could see it with my phone. (My tablet is set to use Google’s DNS - intercepted and redirected to Unblock US’s DNS - rather than my ISP’s, location services are off, and ChromeCast has access to location services turned off in App Ops. My phone just uses regular DNS and has location services turned on.)
* I set the ChromeCast up using my phone, and it set the location (automatically) to GB. I’m not certain of this but I’ve no recollection of choosing the location at this point.
* I couldn’t get things to work and posted here. (Just so you know the timeline.)
* I did a factory reset again, and tried to set ChromeCast up using the tablet again. It still couldn’t see the reset ChromeCast. Then I changed App Ops on the tablet to allow access to location services, and it could suddenly see the ChromeCast to set it up. Location services were still turned off on the tablet, but it seems turning it off in App Ops interfered with it seeing the reset ChromeCast.
* When I tried to set it up with the tablet - now that it could see it - as part of the setup process it gave me a drop down to choose the location. I chose US. (I’ve also set it to EST/New York time and language to English (United States).
So the upshot is: I believe you can set the Country Code in build 16278 if you set it up using a device that has location services turned off, but not blocked by App Ops.
Unfortunately I’m still no further on with my Netflix problem and I’m running out of things to try.
How long does the US Country Code stick? Does it reset to GB when you power-cycle the Chromecast?
Maybe it's time to broaden your experiments to identify where the problem lies.
Instead of relying on the iptables commands you could try the static-route-to-nowhere method to block Google DNS and put the DNS addresses in your router fields for the moment. See if that makes a difference.
For an alternative DNS you could sign up for a 1-week trial with one of the others like Unotelly, or else try the free DNS services currently offered by SmartDNSProxy or Tunnelto.us. I have confirmed that they work with Netflix on the Chromecast.
If neither of those things work, at least you have eliminated some possibilities.
Right now tunnelto.us is working for me, whereas unlocater broke some time ago. SmartDNSProxy also not working for me.
Sent from my Nexus 5 using Tapatalk
It works now!
Hi folks,
I have it working now (thanks!) and have a bit more information. Some of this is just my supposition of what’s going on.
First of all, Country Code sticks between power-cycles without any problems. Time zone and language don’t seem to have any impact either. Also, I honestly have no idea whether Country Code has any effect at the minute. It might still be a red herring, or a problem for the future.
The fix was related to an idea DJames1 had. I changed my iptables to use tunnelto.us and it didn’t work either. So I tried setting the router to use Unblock US as the main DNS as well as in iptables, and it worked.
As I said before, this worked fine for months up until Friday. I don’t know if it’s the new build or something else, but I believe that something is now verifying(?) DNS using the DHCP-supplied DNS as well as Google’s hard-coded DNS.
I don’t want all machines on my home network using Unblock US’s DNS, so I updated my router config to supply Unblock US DNS entries via DHCP just to the ChromeCast. This works fine. If you want to do the same, and you’re using DD-WRT, just add this to your Additional DNSMasq Options:
dhcp-option=altdns,6,208.122.23.23,208.122.23.22
dhcp-host=#ChromeCast MAC Address#,net:altdns
Obviously you need to change #ChromeCast MAC Address# to the MAC address of your own ChromeCast. And if you want to use other DNS entries instead of Unblock US, just change the two IP addresses in the first line.
I’m sure there are other ways of achieving the same ends, but this worked for me. And the easiest option is just to use Unblock US as the DNS for your router/DHCP as well as the iptables entries.
I hope this helps anyone else who has the same problem. Many thanks for your help and advice.
RandomUser6 said:
I hope this helps anyone else who has the same problem. Many thanks for your help and advice.
Click to expand...
Click to collapse
Is there any chance that the CC is now using the DHCP given DNS addresses and is NOT hardcoding to 8.8.8.8 any more?
generationgav said:
Is there any chance that the CC is now using the DHCP given DNS addresses and is NOT hardcoding to 8.8.8.8 any more?
Click to expand...
Click to collapse
I can't say but it would make some sense that the DNS used will change depending on the Country Code of the device.
So a CCast in the UK might use a hardcoded DNS for GoogleUK server as opposed to a US server....
You're right!
generationgav said:
Is there any chance that the CC is now using the DHCP given DNS addresses and is NOT hardcoding to 8.8.8.8 any more?
Click to expand...
Click to collapse
Well now that's an incredibly good question! I'm embarrassed that that didn't occur to me and I didn't check it.
So, I deleted my iptables setup, set my tablet to use Unblock US DNS's directly (instead of using 8.8.8.8 and having that translated), and it still works.
It seems you're right. My router is providing Unblock US DNS to the ChromeCast via DHCP, and (I think) that's it. That's the only non-standard bit.
So, yes, it looks to me like it's now just taking the DHCP DNS and using that instead of Google's hardcoded DNS.
Thanks for figuring this out! (I'm still a bit embarrassed I didn't notice it.)
RandomUser6 said:
Well now that's an incredibly good question! I'm embarrassed that that didn't occur to me and I didn't check it.
So, I deleted my iptables setup, set my tablet to use Unblock US DNS's directly (instead of using 8.8.8.8 and having that translated), and it still works.
It seems you're right. My router is providing Unblock US DNS to the ChromeCast via DHCP, and (I think) that's it. That's the only non-standard bit.
So, yes, it looks to me like it's now just taking the DHCP DNS and using that instead of Google's hardcoded DNS.
Thanks for figuring this out! (I'm still a bit embarrassed I didn't notice it.)
Click to expand...
Click to collapse
Interesting. My Chromecast in Canada definitely is still using Google's hard coded DNS, but the firmware version still isn't the newer one you've reported.
Sent from my Nexus 5 using Tapatalk
RandomUser6 said:
So, yes, it looks to me like it's now just taking the DHCP DNS and using that instead of Google's hardcoded DNS.
Click to expand...
Click to collapse
That’s not the case with my chromecast (spanish, not imported, with up-to-date firmware, 16041 IIRC) :
Code:
[email protected]:~# tcpdump -nli br-lan host 10.12.30.1 and port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 65535 bytes
18:01:05.016228 IP 10.12.30.1.37745 > 8.8.8.8.53: 35107+ A? lh3.googleusercontent.com. (43)
18:01:05.061083 IP 8.8.8.8.53 > 10.12.30.1.37745: 35107 4/0/0 CNAME googlehosted.l.googleusercontent.com., A 173.194.34.235, A 173.194.34.236, A 173.194.34.234 (120)
18:02:12.584606 IP 10.12.30.1.42801 > 8.8.8.8.53: 49188+ A? clients3.google.com. (37)
18:02:12.626840 IP 8.8.8.8.53 > 10.12.30.1.42801: 49188 12/0/0 CNAME clients.l.google.com., A 173.194.41.9, A 173.194.41.0, A 173.194.41.5, A 173.194.41.1, A 173.194.41.4, A 173.194.41.6, A 173.194.41.7, A 173.194.41.2, A 173.194.41.14, A 173.194.41.8, A 173.194.41.3 (237)
18:03:06.852570 IP 10.12.30.1.54056 > 8.8.8.8.53: 18326+ A? lh4.googleusercontent.com. (43)
18:03:06.898487 IP 8.8.8.8.53 > 10.12.30.1.54056: 18326 4/0/0 CNAME googlehosted.l.googleusercontent.com., A 173.194.41.10, A 173.194.41.11, A 173.194.41.12 (120)
18:05:09.640580 IP 10.12.30.1.53769 > 8.8.8.8.53: 61549+ A? clients3.google.com. (37)
18:05:09.687719 IP 8.8.8.8.53 > 10.12.30.1.53769: 61549 12/0/0 CNAME clients.l.google.com., A 173.194.41.224, A 173.194.41.233, A 173.194.41.230, A 173.194.41.229, A 173.194.41.228, A 173.194.41.227, A 173.194.41.238, A 173.194.41.231, A 173.194.41.232, A 173.194.41.225, A 173.194.41.226 (237)
18:05:09.913235 IP 10.12.30.1.43963 > 8.8.8.8.53: 14131+ A? lh5.googleusercontent.com. (43)
18:05:09.954725 IP 8.8.8.8.53 > 10.12.30.1.43963: 14131 4/0/0 CNAME googlehosted.l.googleusercontent.com., A 173.194.41.10, A 173.194.41.12, A 173.194.41.11 (120)
My router’s dhcp server tells the clients on my network (including my chromecast) that they should use 10.12.0.1 as their dns server.
As you can see in tcpdump output above, the chromecast (10.12.30.1) is ignoring that and using 8.8.8.8.
New build?
kpiris said:
That’s not the case with my chromecast (spanish, not imported, with up-to-date firmware, 16041 IIRC) :
Click to expand...
Click to collapse
Interesting. My problems started last Friday, and mine is reporting (stock) build 16278.
Make sure you reboot router and Chromecast at the start of each test for clean results as DNS queries can be cached.
It seems that firmware 16278 has only been reported in the UK. Anyone seeing that outside of the UK?
Restart, restart, restart...
bhiga said:
Make sure you reboot router and Chromecast at the start of each test for clean results as DNS queries can be cached.
Click to expand...
Click to collapse
Yeah, today was a bit of a restart frenzy for me. Both the router and the ChromeCast have been powered off and back on again since the config changes and they continue to work.
cmstlist said:
It seems that firmware 16278 has only been reported in the UK. Anyone seeing that outside of the UK?
Click to expand...
Click to collapse
Yes here in Denmark, my cc has 16278
Firewall Rules for MAGISK
About the Module:
This module is actually a simple script that executes a series of IPtables commands on boot in order to block inbound connections not directly related to outbound. There is no app or commands to execute in order for it to achieve it's results, so no impact to system performance. Just flash the ZIP, reboot and protection will be in place. Due to it's nature things require direct connections to the devices IP will break... With that exception, most users should notice little to no interference in their daily use. All core networking functionality should remain intact and if not I will modify accordingly. Advanced users may specify custom rules to allow incoming connections by editing the script included in the ZIP/Install location. Eventually I will provide some examples to allow commonly used services.
Current Release v1.0.2
TLDR;
When rooting devices with Magisk or other solutions I have noticed services & apps running services getting exposed to connected networks and or the internet. This can spell big trouble for your security and privacy. For instance running an app such as Share GPS from the play store which is typically safe on non-rooted phones will make your unencrypted GPS coordinates available on any network via simple command line tools. This is just one example of an app out of millions. With more and more mobile carriers such as T-Mobile and Sprint adopting IPv6 you can be assured that you're receiving a globally accessible non NAT'd IP address. All it would take is one shady app masqueraded as something you like, running a dynamic ip address updater script and an attacker with little know how to completely compromise your life. Trust me I have done the research here & proved every bit of this to be completely possible without being a certified security researcher.
Let's be honest here, the fact that you're holding a phone in your hand means that your life has already been compromised but at least we can mitigate some risk. Running a device with absolutely no firewall because you rooted shouldn't be one of those risk. There are apps out there that can be used as firewalls like AFWall+ but they don't typically act on lower level processes, just the apps. Instead we should implicitly deny all inbound traffic and only allow inbound related to your established connections, which is exactly what this module does. Future versions of the mod will allow advanced users to specify rules, however for most people that won't be needed for day to day activity.
Customizing Rules:
You may wish to customize rules to allow inbound connections to services or apps running on your device. Notice how each "custom" rule contains "-I" option which inserts to top of chain. In this way each new rule will end up on top of the previous. Be careful in how you write rules because they could completely override rules down lower in the chain. Best practice is to make the rule as specific as possible. In general shorter the rule, the more traffic will match and be ACCEPT or REJECTED. Hopefully the rules below can paint the picture. You should always test your rules first using a terminal emulator or ADB shell before saving them to be ran on startup.
The main script for this module is located at:
Code:
/sbin/.core/img/com.geofferey.fw/post-fs-data.sh
Allow ALL IN from ANYWHERE: (DON'T DO IT!!!!)
Code:
iptables -I INPUT -j ACCEPT
Allow IN ADB on ALL WiFi:
Code:
iptables -I INPUT -i wlan0 -p tcp --dport 5555 -j ACCEPT
Allow IN ADB only on WiFi Network X:
Code:
iptables -I INPUT -i wlan0 -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp --dport 5555 -j ACCEPT
(Assuming IP range 192.168.1.0-255)
Allow IN All WIFI on Network X:
Code:
iptables -I INPUT -i wlan0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
(Assuming IP range 192.168.1.0-255)
Recent Changes:
• v1.0 - Initial Release
• v1.0.1 - Added rules to support hotspot func. US T-Mobile users get native IPv6 global addresses. Switch to post-fs-data. Drop packets after rules are in place. Drop tcp and udp to hotspot and clients.
• v1.0.2- Removed unnecessary rules not required for IPv6 hotspot tethering. Added anti spoofing for loopback. Drop all invalid packets. Allow dhcpv6 & ping as its essential.
Current Ruleset:
Code:
Log "[postfs.d] [Simple Firewall Rules for Magisk] - Applying IPv4 IPtables"
iptables -I INPUT -i wlan0 -s 192.168.43.0/24 -d 192.168.43.0/24 -j ACCEPT
iptables -I INPUT -i wlan0 -p udp --dport 53 --sport 53 -j ACCEPT
iptables -I INPUT -i wlan0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT -m limit --limit 3/sec --limit-burst 10 -j ACCEPT
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -s 127.0.0.0/8 ! -i lo -j REJECT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -j REJECT
Log "[postfs.d] [Simple Firewall Rules for Magisk] - Applying IPv6 IPtables"
ip6tables -I INPUT -d ff02::/64 -j ACCEPT
ip6tables -I INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i lo -j ACCEPT
ip6tables -I INPUT -s ::1/128 ! -i lo -j REJECT
ip6tables -I INPUT -p icmp -j ACCEPT -m limit --limit 3/sec --limit-burst 10 -j ACCEPT
ip6tables -I INPUT -p ipv6-icmp -m limit --limit 3/sec --limit-burst 10 -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -j REJECT
Resources:
https://www.ultratools.com/tools/ipv6CIDRToRange
http://www.ipv6scanner.com/cgi-bin/main.py
https://blogs.cisco.com/security/securing-ipv6
https://www.digitalocean.com/commun...essentials-common-firewall-rules-and-commands
https://www.sixxs.net/wiki/IPv6_Firewalling
https://test-ipv6.com/
Attached below is the module. Let me know how it works and if there are any improvements needed. Any suggestions or comments will be taken into consideration. I don't mind users voting that my module is crap (I made the poll) just have the decency to explain to others why.
Geofferey said:
Firewall for MAGISK
When rooting devices with Magisk or other solutions I have noticed that any services or apps running services get exposed to connected networks and or the internet. This can spell big trouble for your security and privacy. For instance running an app such as Share GPS from the play store which is typically safe on non-rooted phones will make your unencrypted GPS coordinates available on any network via simple command line tools. This is just one example of an app out of millions. With more and more mobile carriers such as T-Mobile and Sprint adopting IPv6 you can be assured that you're receiving a globally accessible non NAT'd IP address. All it would take is one shady app masqueraded as something you like, running a dynamic ip address updater script and an attacker with little know how to completely compromise your life. Trust me I have done the research here & proved every bit of this to be completely possible without being a certified security researcher.
Let's be honest here, the fact that you're holding a phone in your hand means that your life has already been compromised but at least we can mitigate some risk. Running a device with absolutely no firewall because you rooted shouldn't be one of those risk. There are apps out there that can be used as firewalls like AFWall+ but they don't typically act on lower level processes, just the apps. Instead we should implicitly deny all inbound traffic and only allow inbound related to your established connections, which is exactly what this module does. Future versions of the mod will allow advanced users to specify rules, however for most people that won't be needed for day to day activity.
Attached below is the module. Please let me know how it works and if there are any improvements I may provide. As users of highly connected devices I believe we should all take security a lil more seriously. Any suggestions or comments will be taken into consideration
Click to expand...
Click to collapse
Is it like the adguard firewall
[emoji3436]I Willl Scarfice For Those That I Love [emoji3434]
@PoochyX No, it runs at a lower level applying a simple set of 'iptables' rules on boot with no user intervention required. There is no user interface for the mod at the moment. I'm not sure how the app you specified operates. I honestly believe most users should have this installed and it shouldn't affect day to day use unless you are trying to connect directly to something running on phone which most users don't typically do.
In actuality the app you mention might not be needed if you just want to limit inbound. As for outbound connections my policy allows all, which an app like that would be good for limiting if you wish to do so.
Think of my mod as a base set of rules that should already be in place.
For experts .... Let me know if there's something I should add
Code:
iptables -A INPUT -j DROP
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -s fe80::/10 -j ACCEPT
ip6tables -I INPUT -d ff02::/10 -j ACCEPT
ip6tables -I INPUT -i lo -j ACCEPT
Does it change dns?
jaggillararla said:
Does it change dns?
Click to expand...
Click to collapse
I haven't noticed any DNS changes in the way traffic is being routed
[emoji3436]I Will Sacrifice For Those That I Love [emoji3434]
---------- Post added at 08:58 PM ---------- Previous post was at 08:45 PM ----------
Geofferey said:
@PoochyX No, it runs at a lower level applying a simple set of 'iptables' rules on boot with no user intervention required. There is no user interface for the mod at the moment. I'm not sure how the app you specified operates. I honestly believe most users should have this installed and it shouldn't affect day to day use unless you are trying to connect directly to something running on phone which most users don't typically do.
In actuality the app you mention might not be needed if you just want to limit inbound. As for outbound connections my policy allows all, which an app like that would be good for limiting if you wish to do so.
Think of my mod as a base set of rules that should already be in place.
For experts .... Let me know if there's something I should add
Code:
iptables -A INPUT -j DROP
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j DROP
ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -s fe80::/10 -j ACCEPT
ip6tables -I INPUT -d ff02::/10 -j ACCEPT
ip6tables -I INPUT -i lo -j ACCEPT
Click to expand...
Click to collapse
Let's say I want to deny a certain app or process internet can this module do that or that's considered an outbound connection...
[emoji3436]I Will Sacrifice For Those That I Love [emoji3434]
@PoochyX That would be a task more suited for an app like AFWall +. I think you could also use AFWall + to allow inbound connections that this module doesn't in case need arises. You're correct, if you wanted to limit an app from accessing the internet then you would block it's outgoing connections. This mod shouldn't be considered a replacement for apps like those.
Think of it like closing all the doors to your house so randoms can't walk in. Anyone can leave at anytime and relatives are welcome. I am not deadbolting the home so nothing can escape.
@Geofferey
Worth pointing out this breaks hotspot...
@Geofferey AfWall+ also uses iptables and it allows us to specify custom iptables scripts, which serve the same purpose as your Magisk Module, but can be changed dynamically at runtime.
// EDIT AfWall+ has a setting for dis-/enabling incoming connections in their "experimental" section.
I did not check if it works though.
73sydney said:
@Geofferey
Worth pointing out this breaks hotspot...
Click to expand...
Click to collapse
Gotcha bro. v1.0.2 should fix hotspot and allow global IPv6 assignment to US users of T-Mobile. Thanks for pointing it out. I would've got to it sooner but IPv6 is very new to me. I got NAT'd IPv4 hotspot working right away but IPv6 was also something I had to look into.
Let me know if you guys experience any other issues with day to day usage of your phone in regards to internet connectivity with this module in place. For other users on different carriers who desire v6 functionality for tethered clients I will need the name of your carrier, country, and v6 prefixes.
If anyone with background in networking or net security has anything to add please do. I've done my best to make sure these rules are solid but I'm not an expert, especially on IPv6.
GoPro Live preview
Geofferey said:
Gotcha bro. v1.0.2 should fix hotspot and allow global IPv6 assignment to US users of T-Mobile. Thanks for pointing it out. I would've got to it sooner but IPv6 is very new to me. I got NAT'd IPv4 hotspot working right away but IPv6 was also something I had to look into.
Let me know if you guys experience any other issues with day to day usage of your phone in regards to internet connectivity with this module in place. For other users on different carriers who desire v6 functionality for tethered clients I will need the name of your carrier, country, and v6 prefixes.
If anyone with background in networking or net security has anything to add please do. I've done my best to make sure these rules are solid but I'm not an expert, especially on IPv6.
Click to expand...
Click to collapse
version 1.0.2 fixed the Wifi HotSpot issue. But i found another problem.
I'm using the GoPro App to control the cam. With your module the camera live preview does not work. managing the camera setting works well, only live preview is broken.
any idea how to fix this?
@Geofferey
Sadly I have an issue when i tested the new build...
I use the terminal debloat module and load my launcher (Nova) via a module too...
When using your firewall module, these fail to load, and because I remove the stock launcher via debloat, this means your module makes my device unusable
This is due to the fact you're using post-fs-data, it's blocking by nature and can, as described, have REALLY bad side effects.
You should be using service.d (non blocking) to run your scripts. Later today I'll post you a modified module zip which uses service d.....I've recently modded a script I have from post-fs-data to service d, complete with uninstall script....
73sydney said:
@Geofferey
Sadly I have an issue when i tested the new build...
I use the terminal debloat module and load my launcher (Nova) via a module too...
When using your firewall module, these fail to load, and because I remove the stock launcher via debloat, this means your module makes my device unusable
This is due to the fact you're using post-fs-data, it's blocking by nature and can, as described, have REALLY bad side effects.
You should be using service.d (non blocking) to run your scripts. Later today I'll post you a modified module zip which uses service d.....I've recently modded a script I have from post-fs-data to service d, complete with uninstall script....
Click to expand...
Click to collapse
So you had no nanodroid of your device because you was just buliding up your daily driver and was implementing his module into your drivers configuration and it was a no go
([emoji813]9/[emoji725]/9[emoji813])
PoochyX said:
So you had no nanodroid of your device because you was just buliding up your daily driver and was implementing his module into your drivers configuration and it was a no go
([emoji813]9/[emoji725]/9[emoji813])
Click to expand...
Click to collapse
Not sure what youre trying to say here, sorry....
73sydney said:
Not sure what youre trying to say here, sorry....
Click to expand...
Click to collapse
Nanodroid aka Twrp backup of your phone
([emoji813]9/[emoji725]/9[emoji813])
Edited zip with proposed fixes and change to service.d sent to @Geofferey
---------- Post added at 06:20 PM ---------- Previous post was at 06:14 PM ----------
PoochyX said:
Nanodroid aka Twrp backup of your phone
([emoji813]9/[emoji725]/9[emoji813])
Click to expand...
Click to collapse
I always have one, but nothing i was talking about yesterday was in any related to nandroid backups....
Ahhh....maybe you misunderstood thinking i couldnt get back in after enabling the firewall module?
No, i just rebooted to recovery and disabled the module via this: https://forum.xda-developers.com/apps/magisk/tool-magisk-manager-recovery-tool-v1-0-t3866502
Everyone should have a copy of that on their external sdcard, just in case
All good
Module seems as if it could use a look at for magisk mask 19 on lineage 12.1 android 5.1.1 , I installed thru twrp recovery and after reboot I had no internet access , all my magisk modules stop working an all my installed apps were reset their data was wiped . I had to disable an uninstall your fire wall module for tings to work again like Internet access an my magisk modules etc....... ? Any idea wat went wrong without logs !
@Geofferey
Hello with your module YouTube Vanced - Magisk Repo no longer works could you coriger this thank you
How can I run this on my phone?
Does this work on android 13?