Eddie Android and AFwall+

[Maggie144 12]

Hello,

I'm trying to set up a start-up script for AFWall+ currently using this one
 

cat /data/local/iptables-on.sh                 <
## IPtables On Script
## iptables -L
## iptables -S
## iptables -L -t nat
 
####################
# Tweaks #
####################
# Disable Captive Portal (Connect to http://clients3.google.com via UID 1000)
settings put global captive_portal_mode 0
 
####################
# iptables #
####################
IPTABLES=/system/bin/iptables
IP6TABLES=/system/bin/ip6tables
 
####################
# Purge/Flush #
####################
# All 'afwall' rules/chains gets flushed automatically, before the custom script is executed
# Flush/Purge all rules except OUTPUT
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IP6TABLES -F INPUT
$IP6TABLES -F FORWARD
$IP6TABLES -t nat -F
$IP6TABLES -t mangle -F
 
# Flush/Purge all chains
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IP6TABLES -X
$IP6TABLES -t nat -X
$IP6TABLES -t mangle -X
 
####################
# Defaults #
####################
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT
$IP6TABLES -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -m state -state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT ! -i lo -s ::1/128 -j DROP
$IP6TABLES -A INPUT -i $WAN_IF -s fe80::/1 -j DROP
$IP6TABLES -A FORWARD -s ::1/128 -j DROP
$IP6TABLES -A FORWARD -i $WAN_IF -s fe80::/1 -j DROP
$IPTABLES -A TCP -i eth0 -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT

#####################
# Special Rules #
#####################
# Allow loopback interface lo
$IPTABLES -A "afwall" -o lo -j ACCEPT
 
# Prevent SYN attacks
$IPTABLES -I TCP -p tcp --match recent --update --seconds 60 --name TCP-PORTSCAN -j DROP
$IP6TABLES -I TCP -p tcp --match recent --update --seconds 60 --name TCP-PORTSCAN -j DROP
$IPTABLES -A INPUT -p tcp --match recent --set --name TCP-PORTSCAN -j DROP
$IP6TABLES -A INPUT -p tcp --match recent --set --name TCP-PORTSCAN -j DROP
 
#Prevent SMURF attacks
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
$IPTABLES -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 -m limit --limit 2/second --limit-burst 2 -j ACCEPT
 
# Set iptables to masquerade
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE
 
$IPTABLES -A "afwall" --destination "192.168.0.0/24" -j RETURN
 
 
# Restore policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
 
# Force a specific DNS for mobile networks
# First two lines delete current DNS settings
$IPTABLES -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 139.18.25.34:53 || true
$IPTABLES -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 139.18.25.34:53 || true
 
# This two new lines set our new DNS to OpenDNS
$IPTABLES -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 139.18.25.34:53
$IPTABLES -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 139.18.25.34:53
 
# For IPv6 we need to change it in a different way since there is no nat!
$IP6TABLES -A INPUT -i $LAN_IF -s $LAN_NET -p udp –dport 53 -j ACCEPT
$IP6TABLES -A FORWARD -i $LAN_IF -s $LAN_NET -p udp –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
 
# Allow all traffic from an established connection
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Reject correctly
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -j REJECT --reject-with icmp-port-unreachable

I don't get why Eddie is failing to connect - without this script it works flawlessly..
Would really appreciate your input.