I want to have a firewall on my mobile hotspot (for blocking all external traffic except return traffic). Is there an app for that?
No, apps can't do it. It's something at lower level, apps aren't that privileged. VPN apps are a workaround for outgoing connections (because of possible filtering based on UIDs
and SOcket_MARKs
), but not for incoming connections.
My Android isn't rooted, so I would prefer a solution that doesn't require rooting my phone (if possible).
Not possible without root (AFAIK), but with root it's simple; thanks to Linux kernel. Since Android uses default policy ACCEPT
, drop any unwanted packets:
~# iptables -I INPUT -i rmnet_data1 -m conntrack ! --ctstate ESTABLISHED,RELATED -j DROP
~# iptables -I FORWARD -i rmnet_data1 -m conntrack ! --ctstate ESTABLISHED,RELATED -j DROP
First rule will allow only return traffic for Android device, second for tethered hosts. Replace rmnet_data1
with whatever interface your Mobile Data is using. I hope you won't want to block incoming connections from WiFi interface (wlan0
) to let hotspot work.
Note that iptables
rules on Android are dynamic, netd
keeps on updating them with network changes. So better use these rules with some app like AFWall+.
I'm not an expert but as per my understanding, open ports make sense only when you have a public IP, preferably static, as is the case with fixed line broadband connections and special SIM cards with fixed public IP service. Mobile Network Operators (I assume you are connected to Mobile Data) always do Carrier Grade NAT (sometimes double NAT), basically to address the problem of IPv4 Address Shortage, but it also serves additional interests. They run e.g. transparent caching proxy servers and DNS servers behind this NAT to minimize load on internet bandwidth and to improve performance by reducing latency. When you are behind CGN:
- Your public IP changes e.g. when you move.
- Private IP you get (usually 10.x.x.x) is assigned by MNO's DHCP server, so it keeps on changing e.g. when the lease expires or when you reconnect.
- Even if you get a fixed private IP, your ISP/MNO should forward ports from public IP to your private IP, which they don't. Because there could possibly be hundreds and thousands of customers wishing to forward the same port from same public IP to their devices.
So keeping incoming ports open in this setup serves no purpose except making the MNO's network vulnerable to attacks. And therefore most of the MNOs block incoming connections on all (or under 1024
or at least commonly used) ports. But it can't be tested because of CGN, which - as a side effect - is an additional layer of security, though not a firewall. You have a private IP, not routable on internet, no one can access you from outside, this should be considered security, more or less. That's why VoIP connections are always initiated from clients by letting the STUN
server know where they are. And we have to go for solutions like this to accept incoming connections behind NAT.
there are a few devices (smart TV, game system, etc) which are not at all secure to put onto an open network.
Additionally your Android device is also doing NAT on traffic coming from tethered hosts. And there's no DMZ
, UPnP
or normal Port Forwarding
set up on your Android device. It's another protection layer.
I have reason to believe my carrier's NAT does not block incoming connections
It would be really knowledgeable if you share how did you conclude this. However if you are sure that their NAT can be traversed/bypassed easily without any support from client side, or if you don't have trust on MNO or their firewalls, do consider setting up a strong firewall.
Common users are more focused on the apps installed on the phone; they are the actual spies. They collect personal data, leak information, do analytics, user profiling, tracking and targeted advertisement. So an outgoing firewall is of much importance.
Complicated firewall solutions for incoming connections are required on servers with listening ports. Android devices don't run servers (usually), except a local DHCP
/DNS
server (dnsmasq
) for hotspot. If you run any services which accept connections from internet, it's another valid reason to setup firewall.