2013年5月29日 星期三

iptables,Android下强大的网络防火墙

http://blog.wifizoo.net/?post=180

装了不少软件,随之而来的问题是,有些软件的权限实在是太过分了,动不动就喜欢联网更新数据。比如天天动听等一些播放器软件,隔一段时间就在通知栏提示有新版本需要更新;更有甚者一些软件居然自带广告栏,每当打开软件时候就联网更新广告,活脱脱将手机当成了免费的广告发布平台,实在令人是不堪忍受。 特别是有些密码箱程序,安装的时候居然明目张胆的提示有完全的网络权限,难道是想把使用者的账号密码神不知鬼不觉的全部偷回去?太邪恶了,偶不敢想下去了!
点击查看原图 点击查看原图 点击查看原图 点击查看原图
解决方法不是没有,直接禁掉网络连接显然不可取,反向工程将源码中广告代码去掉难度比较大,想来想去,android下面有iptables这个强大的东东,用它来写规则应该可以实现这个目的。
看了一下android的iptables规则说明
iptables v1.3.7
Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain  Append to chain
  --delete  -D chain  Delete matching rule from chain
  --delete  -D chain rulenum
    Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
    Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
    Replace rule rulenum (1 = first) in chain
  --list    -L [chain]  List the rules in a chain or all chains
  --flush   -F [chain]  Delete all rules in  chain or all chains
  --zero    -Z [chain]  Zero counters in chain or all chains
  --new     -N chain  Create a new user-defined chain
  --delete-chain
            -X [chain]  Delete a user-defined chain
  --policy  -P chain target
    Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
    Change chain name, (moving any references)
Options:
  --proto -p [!] proto protocol: by number or name, eg. `tcp'
  --source -s [!] address[/mask]
    source specification
  --destination -d [!] address[/mask]
    destination specification
  --in-interface -i [!] input name[+]
    network interface name ([+] for wildcard)
  --jump -j target
    target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match -m match
    extended match (may load extension)
  --numeric -n  numeric output of addresses and ports
  --out-interface -o [!] output name[+]
    network interface name ([+] for wildcard)
  --table -t table table to manipulate (default: `filter')
  --verbose -v  verbose mode
  --line-numbers  print line numbers when listing
  --exact -x  expand numbers (display exact values)
[!] --fragment -f  match second or further fragments only
  --modprobe=<command>  try to insert modules using this command
  --set-counters PKTS BYTES set the counter during insert/append
[!] --version -V  print package version.
 

好吧,那么就不客气了,由于这是手机而非路由器,自然不能用按老办法以客户端的源IP来进行过滤;不过可以基于包的生产者来用owner match匹配,先ban了所有的OUTPUT链,然后白名单加入允许通行的程序,搞定。
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            OWNER UID match dhcp
ACCEPT     0    --  anywhere             anywhere            OWNER UID match wifi
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_64
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_4
ACCEPT     0    --  anywhere             anywhere            OWNER UID match system
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_16
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_73
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_33
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_72
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_12
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_23
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_8
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_61
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_54
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_29
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_15
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_3
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_31
ACCEPT     0    --  anywhere             anywhere            OWNER UID match app_0
REJECT     0    --  anywhere             anywhere            reject-with icmp-port-unreachable

沒有留言:

張貼留言