http://blog.wifizoo.net/?post=180
装了不少软件,随之而来的问题是,有些软件的权限实在是太过分了,动不动就喜欢联网更新数据。比如天天动听等一些播放器软件,隔一段时间就在通知栏提示有新版本需要更新;更有甚者一些软件居然自带广告栏,每当打开软件时候就联网更新广告,活脱脱将手机当成了免费的广告发布平台,实在令人是不堪忍受。 特别是有些密码箱程序,安装的时候居然明目张胆的提示有完全的网络权限,难道是想把使用者的账号密码神不知鬼不觉的全部偷回去?太邪恶了,偶不敢想下去了!
解决方法不是没有,直接禁掉网络连接显然不可取,反向工程将源码中广告代码去掉难度比较大,想来想去,android下面有iptables这个强大的东东,用它来写规则应该可以实现这个目的。
看了一下android的iptables规则说明
iptables v1.3.7
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
好吧,那么就不客气了,由于这是手机而非路由器,自然不能用按老办法以客户端的源IP来进行过滤;不过可以基于包的生产者来用owner match匹配,先ban了所有的OUTPUT链,然后白名单加入允许通行的程序,搞定。
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere OWNER UID match dhcp
ACCEPT 0 -- anywhere anywhere OWNER UID match wifi
ACCEPT 0 -- anywhere anywhere OWNER UID match app_64
ACCEPT 0 -- anywhere anywhere OWNER UID match app_4
ACCEPT 0 -- anywhere anywhere OWNER UID match system
ACCEPT 0 -- anywhere anywhere OWNER UID match app_16
ACCEPT 0 -- anywhere anywhere OWNER UID match app_73
ACCEPT 0 -- anywhere anywhere OWNER UID match app_33
ACCEPT 0 -- anywhere anywhere OWNER UID match app_72
ACCEPT 0 -- anywhere anywhere OWNER UID match app_12
ACCEPT 0 -- anywhere anywhere OWNER UID match app_23
ACCEPT 0 -- anywhere anywhere OWNER UID match app_8
ACCEPT 0 -- anywhere anywhere OWNER UID match app_61
ACCEPT 0 -- anywhere anywhere OWNER UID match app_54
ACCEPT 0 -- anywhere anywhere OWNER UID match app_29
ACCEPT 0 -- anywhere anywhere OWNER UID match app_15
ACCEPT 0 -- anywhere anywhere OWNER UID match app_3
ACCEPT 0 -- anywhere anywhere OWNER UID match app_31
ACCEPT 0 -- anywhere anywhere OWNER UID match app_0
REJECT 0 -- anywhere anywhere reject-with icmp-port-unreachable
沒有留言:
張貼留言