Enhancement: Block by port, not applications about droidwall HOT 13 CLOSED

Should be pretty straightforward to implement as iptables has options for that.
The only problem I see is how to interpret such rules when overlapping with 
rules referring to applications. 
BTW, it's a bit unfortunate that there are several cases where several 
applications share the same ID.

allow users to set port rules first or application rules first.

Then there is no conflict

That would be great. Some providers offer free traffic on some ports only. For 
example, Bouygues Telecom (France) provides all their users with free traffic 
on port 993, but charges for traffic on port 80 or 25.

This would be nice to have. Currently droidwall seems to block inbound ssh.

Hello all, I have just added a functionality called "Custom Script" on r210.
This will be officially released on the next version (DroidWall 1.5.3).

I know that this is more like a work-around rather than a real fix, but you can 
block by ports using custom scripts. This way we can keep a very simple user 
interface for non-technical users, but full power to advanced users.

I will add more information about CustomScripts in the wiki.

Rodrigo, your app is really great. CustomScripts make it even much more 
powerful.

Chris, DroidWall does not affect inbound connections at all.
Yet for blocking, e.g., ssh one could use the following rule:

$IPTABLES -A INPUT -p TCP --destination-port 22 -j DROP

I'm loving DroidWall. However, I've found the only way I can use DroidWall and 
sshDroid (sshd server on phone) simultaneously is to have DroidWall allow all 
root apps (presumably because it does all it's blocking by UID). I believe if I 
were more familiar with writing iptable rules, I could insert a rule before the 
default block to allow sshd in and out based on port # or some other criteria, 
and then still have all other root processes blocked. 

Can anyone with more knowledge advise me on a custom script I could run to 
achieve this? The linux man page for iptables just about gave me an aneurysm.

[deleted comment]

For specifically allowing sshd, assuming that it listens on port 22, use this:
$IPTABLES -I OUTPUT -j ACCEPT -m owner --uid-owner 0 -p tcp --source-port 22

Thanks DvO! It looks obvious once someone's spelled it out for me. I'm not on a 
wifi network where I feel comfortable enabling sshd (paranoia being the better 
part of security), so I'll have to try it later.

BTW, I've been using the iptables command on the phone to list the current 
rules. Before I came across this thread, I hadn't noticed the CustomScripts 
option. I somehow found the executable iptables_armv5 in the 
/data/data/com.googlecode.droidwall.free/app_bin/ directory, and was running it 
from within Terminal Emulator. 

You can further restrict the use of ssh by allowing only certain machines to 
connect.
Assuming that your PC at home has local IP address 192.168.2.101, 
you may add "--destination 192.168.2.101" to the options.

One might add also some security by obscurity, using a different port than 22.

To block every process that is not an app (except for the kernel), 
you may add /after/ your rule a second one:
iptables -I OUTPUT 2 -j DROP -m owner --uid-owner 0:9999

BTW, using "-I OUTPUT" gives the rules top priority, and they will not be 
cleared by DroidWall. If you use instead as a custom script:

$IPTABLES -I droidwall -j ACCEPT -m owner --uid-owner 0 -p tcp --source-port 22 
--destination 192.168.2.101
$IPTABLES -I droidwall 2 -j droidwall-reject -m owner --uid-owner 0:9999

these rules will be automatically removed when disabling DroidWall. To be on 
the safe side, you may want to add the following as custom /shutdown/ script 
such that every process that is not an app (except for the kernel) will still 
be blocked:

$IPTABLES -I droidwall -j DROP -m owner --uid-owner 0:9999

Worked like a charm! I also put in the non-app block as well as the shutdown 
script. (I'm guessing Android reserves UIDs 0-9999 for non apps, yes?) Thanks!