Android 开源项目Droidwall初探记录

本来有个类似防火墙的功能需要实现，就花了点时间参考了下Droidwall。360的流量控制也是内嵌了Droidwall，有想做这方面的可以研究下这个的源代码。

 

它在v1.5.3  版本中增加了 Added support for custom scripts. See CustomScripts for more details，可以添加一些iptables规则，达到屏蔽网站地址的效果。

 

 

项目地址：https://code.google.com/p/droidwall/
源代码下载地址：http://droidwall.googlecode.com/svn/

 

此应用需要有root权限的手机，我安装的版本v1.5.6 效果图

 

 

关于CustomScripts 具体的使用方法，翻译的不是很准确，用的google翻译，看懂意思就行。

 

Droidwall customscripts 写道

Adding custom rules
If you want to add custom iptables rules, just use the $IPTABLES shell variable to call iptables.

The following iptables chains can be used to add custom rules:
droidwall - This is the main DroidWall chain. All OUTPUT packets will pass through it. It is therefore the perfect place if you want to add rules that apply to any interface.
droidwall-3g - This chain will only receive OUTPUT packets for the cellular network interface (no matter if it is 2G,3G,4G, etc).
droidwall-wifi - This chain will only receive OUTPUT packets for the Wi-Fi interface.
droidwall-reject - This chain should be used as a target when you want to reject and log a packet. When the logging is disabled, this is exactly the same as the built-in REJECT target

Please note that all those chains are guaranteed to be cleared before the custom script is executed, so you don't need to worry about rules cleanup on your script IF you are using those chains.
If you use any chain not listed above, then you need to manually purge it BEFORE adding your custom rules (otherwise the rules will be duplicated every time they are applied). On this case, you will also need to manually purge you rules when the firewall is disabled, by defining a custom shutdown script
IMPORTANT: Never manually purge the OUTPUT chain - this will cause DroidWall rules to be ignored. Use the 'droidwall' chain instead

Examples
始终允许连接到192.168.0.1，无论是界面
# Always allow connections to 192.168.0.1, no matter the interface
$IPTABLES -A droidwall --destination 192.168.0.1 -j RETURN

允许所有连接到本地网络的Wi-Fi（192.168.0.XXX）
# Allow all connections to the local network (192.168.0.XXX) on Wi-fi
$IPTABLES -A droidwall-wifi --destination 192.168.0.0/24 -j RETURN

阻止所有连接的TCP端口80（HTTP）
# Block all connections in the TCP port 80 (http)
$IPTABLES -A droidwall -p TCP --destination-port 80 -j droidwall-reject

封锁HTTP连接，但只对蜂窝界面
# Block HTTP connections, but only on cellular interface
$IPTABLES -A droidwall-3g -p TCP --destination-port 80 -j droidwall-reject

如果你想DroidWall报告规则的失败，你必须手动“退出”的脚本错误。例如：
If you want DroidWall to report failures on your rules, you must manually "exit" from the script on error. E.g.:


尝试运用我的自订规则，但报告任何失败（中止）
# Try to apply my custom rule, but report any failure (and abort)
$IPTABLES -A droidwall --destination 192.168.0.1 -j RETURN || exit

尝试申请另一个自定义的规则，但忽略任何错误
# Try to apply another custom rule, but ignore any errors on it
$IPTABLES -A droidwall -p TCP --destination-port 80 -j droidwall-reject


Loading scripts from files

Big scripts can be quite hard to edit in the "Set custom script" screen, so it may be a good idea to put your script in a file, then load it from there.
To do that, just use the "." (dot) shell command in the "Set custom script" dialog to load your script from an external file. E.g.:

. /path/to/script.sh

This will cause your script file to be loaded and executed every time the rules are applied.

You can even have multiple scripts executed in sequence...

. /path/to/load-modules.sh
. /path/to/myrules.sh
. /path/to/myscript.sh

However, please note that this can create a serious security breach on your device, since the script will be always executed as root! You must place your script where other applications will not be able to modify it (the sdcard is NOT a good place).

大脚本编辑在“设置自定义脚本”屏幕是十分困难的，因此它可能是一个好主意，把你的脚本文件，然后从那里加载。
要做到这一点，只需使用“.” （点）在“设置自定义脚本”对话框，从外部文件加载脚本的shell命令。例如：
. /path/to/script.sh

这将导致您的脚本文件被加载并执行每一个规则的应用。
你甚至可以有多个顺序执行脚本....
. /path/to/load-modules.sh
. /path/to/myrules.sh
. /path/to/myscript.sh