博客

iptables 网络防火墙  以下代码只针对gprs进行禁止访问

#!/system/bin/sh

查找合适的iptables文件：
	IPTABLES=iptables
	BUSYBOX=busybox
	GREP=grep
	ECHO=echo
	# Try to find busybox
	if /data/data/com.***.activity/app_bin/busybox_g1 --help >/dev/null 2>/dev/null ; then
		BUSYBOX=/data/data/com.***.activity/app_bin/busybox_g1
		GREP="$BUSYBOX grep"
		ECHO="$BUSYBOX echo"
	elif busybox --help >/dev/null 2>/dev/null ; then
		BUSYBOX=busybox
	elif /system/xbin/busybox --help >/dev/null 2>/dev/null ; then
		BUSYBOX=/system/xbin/busybox
	elif /system/bin/busybox --help >/dev/null 2>/dev/null ; then
		BUSYBOX=/system/bin/busybox
	fi
	# Try to find grep
	if ! $ECHO 1 | $GREP -q 1 >/dev/null 2>/dev/null ; then
		if $ECHO 1 | $BUSYBOX grep -q 1 >/dev/null 2>/dev/null ; then
			GREP="$BUSYBOX grep"
		fi
		# Grep is absolutely required
		if ! $ECHO 1 | $GREP -q 1 >/dev/null 2>/dev/null ; then
			$ECHO The grep command is required. IptablesChainName will not work.
			exit 1
		fi
	fi
	# Try to find iptables
	if /data/data/com.***.activity/app_bin/iptables_armv5 --version >/dev/null 2>/dev/null ; then
		IPTABLES=/data/data/com.***i.activity/app_bin/iptables_armv5
	fi

	$IPTABLES --version || exit 1
	# Create the IptablesChainName chains if necessary
	$IPTABLES -L IptablesChainName >/dev/null 2>/dev/null || $IPTABLES --new IptablesChainName || exit 2
	$IPTABLES -L IptablesChainName-3g >/dev/null 2>/dev/null || $IPTABLES --new IptablesChainName-3g || exit 3
	$IPTABLES -L IptablesChainName-wifi >/dev/null 2>/dev/null || $IPTABLES --new IptablesChainName-wifi || exit 4
	$IPTABLES -L IptablesChainName-reject >/dev/null 2>/dev/null || $IPTABLES --new IptablesChainName-reject || exit 5
	# Add IptablesChainName chain to OUTPUT chain if necessary
	$IPTABLES -L OUTPUT | $GREP -q IptablesChainName || $IPTABLES -A OUTPUT -j IptablesChainName || exit 6
//这里是关键：对某个chain清楚已设置的规则

	# Flush existing rules
	$IPTABLES -F IptablesChainName || exit 7
	$IPTABLES -F IptablesChainName-3g || exit 8
	$IPTABLES -F IptablesChainName-wifi || exit 9
	$IPTABLES -F IptablesChainName-reject || exit 10
//这里是关键：对某个chain添加拦截规则
# Create the reject rule (log disabled)$IPTABLES -A IptablesChainName-reject -j REJECT || exit 11# Main rules (per interface)

//这里最重要：对某个chain定义拦截某个网卡的数据，以下为本人搜集到的与gprs相关的网卡
 $IPTABLES -A IptablesChainName -o rmnet+ -j IptablesChainName-3g || exit$IPTABLES -A IptablesChainName -o pdp+ -j IptablesChainName-3g || exit$IPTABLES -A IptablesChainName -o ppp+ -j IptablesChainName-3g || exit$IPTABLES -A IptablesChainName

 -o uwbr+ -j IptablesChainName-3g || exit$IPTABLES -A IptablesChainName -o ccinet+ -j IptablesChainName-3g || exit$IPTABLES -A IptablesChainName -o ccmni+ -j IptablesChainName-3g || exit$IPTABLES -A IptablesChainName -o svnet+ -j IptablesChainName-3g || exit$IPTABLES

 -A IptablesChainName -o pdp_ip+ -j IptablesChainName-3g || exit$IPTABLES -A IptablesChainName -o wimax+ -j IptablesChainName-3g || exit

//下面就是针对你要拦截的应用进行设置该chain的规则了  每个用户（应用）在linux下用有一个uid  根据uid即可进行限制网络使用
 # Filtering rules$IPTABLES -A IptablesChainName-3g -m owner --uid-owner 10001 -j IptablesChainName-reject || exit$IPTABLES -A IptablesChainName-3g -m owner --uid-owner 10002 -j IptablesChainName-reject || exit$IPTABLES -A IptablesChainName-3g

 -m owner --uid-owner 10003 -j IptablesChainName-reject || exit...exit

android下  执行上述命令需要有root权限


最后：对于wifi的网络访问设置原理与gprs一样  只是相应的网卡不同而已