参考文献
2.关于IPTABLES在Fedora5中过滤ip的完美解决方案
3.CM7 iptables补丁,DroidWall亲测能用了
wifi连无线路由服务器上网,路由器没有ip过滤,于是利用iptables建立一个ip过滤
首先手机必须是root过,并且能运行busybox
由于多数android手机的iptables都被阉割,所以如果代码不能正常使用出现getsockopt for multiport failed strangely: No such file or directory之类问题,需要用kang.project-voodoo.org/f/iptables-cm7-kang.zip进行添加或替换到/system/bin下
参考了hexing和tingxx同学的代码,重写程序如下
nat.sh:
#!/bin/sh
#PATH=$PATH:/usr/sbin:/sbin
#### configue begin ###############################################################################
#myip is the outside IP
myip="192.168.1.188"
#intra is the inside network,you only can use the 192.168.0.0/24
#172.16.0.0/16
intra="192.168.1.0/24"
#ethout is the ethernet which connect the outside network
ethout="tiwlan0"
#htmladdr is the web addr have the free IP
htmladdr="http://hitsun.hit.edu.cn/freeip2011.12.htm"
####configure end
# download the free ip html file from the web, the timeout to 20 seconds, and the retries number is 2
wget -O freeip.htm $htmladdr -T 20 -t 2
#test whether the download is succesful, if failure, write it to the log file and exit
#get freeip tables
fip=`cat freeip.htm | busybox grep -o '[0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}' | busybox awk -f ./awkfile.sh`
echo "get freeip succesfully!"
#################get freeip end###########################################################################
echo "set iptables rules..."
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
for x in $fip
do
iptables -A INPUT -i $ethout -s $x -j ACCEPT
iptables -A OUTPUT -o $ethout -s $myip -d $x -j ACCEPT
iptables -A FORWARD -i $ethout -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $ethout -s $intra -d $x -j ACCEPT
done
# iptables -A FORWARD -j DROP
iptables -A INPUT -i $ethout -s $intra -j ACCEPT
iptables -A OUTPUT -o $ethout -d $intra -j ACCEPT
awkfile.sh
{
if(NR % 3 ==1)
network=$0
else if(NR %3 ==0)
{
netmask= $0
OFS="/"
print network,netmask
}
}
在超级终端中cd到文件所在文件夹,输入busybox chmod +x nat.sh
然后输入sh nat.sh就可以运行ip过滤了~enjoy it