afwall icon indicating copy to clipboard operation
afwall copied to clipboard

Published 20 hours ago verified publisher icon ukanth

[suggestion] Allow local subnet (optional)

Open BlueMax opened this issue 7 years ago • 7 comments

Allow an option in the GUI to define subnet mask (eg. 192.168.1.0/24) that will add a rule like this: $IPTABLES -I "afwall" --destination "192.168.1.0/24" -j RETURN

This might help people not familiar with custom scripts to allow traffic between devices in the defined (home) subnet without granting apps external internet access.

BlueMax avatar Nov 03 '17 01:11 BlueMax

Sounds good from the network point of view. But what's the use case here? I don't know many local net interactions with Android devices...

ildar avatar Nov 09 '17 18:11 ildar

SSH, CIFS, ADB/wifi, caldav, inter-device file transfers...

BlueMax avatar Nov 09 '17 19:11 BlueMax

I also find it a nice idea. My wifi and wired networks are partitioned into 2 different sub-nets. With the default Afwall+ configuration, the lan traffic is only enabled for the wifi sub-net. It would be really nice if we could specify a list of sub-nets which afwall+ would consider as belonging to the internal "lan" and used (as the default one) to split the traffic among the lan and the wan (e.g. into the afwall-wifi-fork chain).

cris- avatar Nov 13 '17 16:11 cris-

I've tried to implement it with a custom script, but I don't seem to be able to add rules to the afwall-wifi-fork chain at the time the script is fired. Instead, I can modify the chain on the fly with iptables, but there's very likely something I'm still missing.

It seems to work if I modify the rules using another netmask, e.g.

afwall-wifi-lan  all  --  anywhere             192.168.0.0/23      
afwall-wifi-wan  all  --  anywhere            !192.168.0.0/23

It does not seem to work if I add a rule like follows

afwall-wifi-lan  all  --  anywhere             192.168.1.0/24
afwall-wifi-lan  all  --  anywhere             192.168.0.0/24
afwall-wifi-wan  all  --  anywhere            !192.168.1.0/24

What am I missing?

cris- avatar Nov 18 '17 16:11 cris-

I do it like this. Rules are deleted (-D) and then created/inserted (-I) to prevent duplicates when reapplying rules in AFWall. Some of this IPs came up in the logs regularly so i whitelisted them to stop bugging me (they are no external IPs anyway). The relevant lines are the '192.168.0.0/16' ones.

# Allow local + loopback
$IPTABLES -D INPUT -i lo+ -j ACCEPT || true
$IPTABLES -D OUTPUT -o lo+ -j ACCEPT || true
$IPTABLES -D INPUT -d 127.0.0.1 -j ACCEPT || true
$IPTABLES -D OUTPUT -d 127.0.0.1 -j ACCEPT || true
$IPTABLES -D OUTPUT -d 239.255.255.250 -j ACCEPT || true
$IPTABLES -D OUTPUT -d 224.0.0.22 -j ACCEPT || true
$IPTABLES -D OUTPUT -d 239.2.0.252 -j ACCEPT || true
$IPTABLES -D "afwall" --destination "192.168.0.0/16" -j RETURN || true
$IPTABLES -D "afwall" --destination "255.255.255.255" -j RETURN || true
$IPTABLES -I INPUT -i lo+ -j ACCEPT || true
$IPTABLES -I OUTPUT -o lo+ -j ACCEPT || true
$IPTABLES -I INPUT -d 127.0.0.1 -j ACCEPT || true
$IPTABLES -I OUTPUT -d 127.0.0.1 -j ACCEPT || true
$IPTABLES -I OUTPUT -d 239.255.255.250 -j ACCEPT || true
$IPTABLES -I OUTPUT -d 224.0.0.22 -j ACCEPT || true
$IPTABLES -I OUTPUT -d 239.2.0.252 -j ACCEPT || true
$IPTABLES -I "afwall" --destination "192.168.0.0/16" -j RETURN || true
$IPTABLES -I "afwall" --destination "255.255.255.255" -j RETURN || true

BlueMax avatar Nov 18 '17 18:11 BlueMax

This works from the shell when the rules have already been applied for wifi:

IPTABLES=/system/bin/iptables
$IPTABLES -R afwall-wifi-fork 1 -d 192.168.0.0/23 -j afwall-wifi-lan
$IPTABLES -R afwall-wifi-fork 2 ! -d 192.168.0.0/23 -j afwall-wifi-wan

It does not work when invoked as a custom script, probably because the chain afwall-wifi-fork does not exist yet at that time. If I attempt to create the chain in the script, then applying the rules results in a complete failure.

I'm attempting to permit the traffic only for the apps allowed to connect to the lan: adding the rule(s) to the afwall or afwall-wifi chains seems to permit the traffic for all the applications indistinctly.

cris- avatar Nov 19 '17 14:11 cris-

After a bit testing I seem to have obtained the expected behavior with this custom script:

IPTABLES=/system/bin/iptables
IW=/system/bin/iw

wlan_interface="wlan0"
valid_ssids="apxxx01 apxxx02" # test values!
target_chain="afwall-wifi"
destinations="192.168.0.100 192.168.3.0/24" # test values!
allowed_userids="10001 10002" # test values! 

# note: using sh syntax
# note: not returning errors as this seems to make afwall+ hang?
action=$1
if [ -z "$action" ]; then
  script=`basename $0`
  case $script in
    *add.sh) action=add;;
    *remove.sh) action=remove;;
    *insert.sh) action=insert;;
  esac
fi

case $action in
  add) iptables_cmd="-A";;
  insert) iptables_cmd="-I";;
  remove) iptables_cmd="-D";;
  *) echo "invalid action: '$action'"
     exit 1;;
esac

# note: not returning errors from here as this might produce failures in afwall+
out_msg=$($IW dev $wlan_interface link)
if echo "$out_msg" | grep -Eq  '^Not\ connected\.$'; then
  echo "wifi interface $wlan_interface not connected... exiting."
else
  ssid=$(echo "$out_msg" | grep 'SSID'| sed 's/ //g'|cut -d ":" -f 2)
  echo "$valid_ssids" | grep -w "$ssid" > /dev/null 2>&1
  if [ $? -eq 0 ]; then
    for userid in $allowed_userids; do
      for destination in $destinations; do
        ${IPTABLES} ${iptables_cmd} ${target_chain} -d ${destination} -m owner --uid-owner ${userid} -j RETURN 
      done
    done
  else
    echo "not a valid ssid: '$ssid'"
  fi
fi

In afwall+ I've configured the following:

custom script: . /data/local/afwall/afwall_allow_lan.sh add

custom shutdown script: . /data/local/afwall/afwall_allow_lan.sh remove

And yes ... one can do everything with custom scripts... but is like re-writing afwall+ from scratch...

cris- avatar Nov 22 '17 16:11 cris-