Greetings. This being my first post I hope it's a good one.
I have a firewall application for Android that uses iptables/ip6tables to help users manage their data and protect themselves from apps that probably have too many permissions (why those get installed to begin with is a different issue
). It is built from the original GPLv3 application Droidwall.
I want to have more robust VPN support in the app but I'm having issues with the necessary iptables rules. iptables 1.4.10 or greater is used depending on the Android version (2.2 and up).
The way the app works is this. A number of chains are created.
droidwall
droidwall-3g
droidwall-wifi
droidwall-reject
droidwall is added to the OUTPUT chain.
iptables -A OUTPUT -j droidwall
iptables -I OUTPUT 1 -j droidwall
DNS port needs to be added otherwise lookups take a year on Android 3.x or greater.
iptables -A droidwall -m owner --uid-owner 0 -p udp --dport 53 RETURN
The WiFi and Cellular radio interface names are then added to their respective chains.
For example for my Galaxy Nexus:
iptables -A droidwall -o rmnet1+ -j droidwall-3g
iptables -A droidwall -o wlan0+ -j droidwall-wifi
Apps are then granted or denied access by users selecting them from a list.
The apps are inserted by the following:
iptables -I droidwall-3g -m owner --uid-owner <app uid> -j RETURN
iptables -I droidwall-3g -m owner --uid-owner <app uid> -j droidwall-reject
What I want is to add a third option allowing VPN access to only those apps which are allowed. As a test I added another chain called droidwall-vpn. I added two interfaces to that chain, tun+ and tun0+, and then granted/denied application access the same way as above. While that allowed the VPN to function it also allowed ANY application to get data from the VPN. Even applications in droidwall-reject could still access the VPN data stream.
What do I have to do in order to make apps, without access to tun+/tun0+, unable to access the VPN data stream?
Any help would be greatly appreciated! Thanks in advance!