dnscrypt-iptables

#!/system/bin/sh

set -e

IPTABLES=/system/bin/iptables
IP6TABLES=/system/bin/ip6tables
##
## PROXY_PORT must also match proxy port value set in dnscrypt-proxy.toml
##
PROXY_PORT=5454

enabled_ipv6 () {
	IPV6_STATE=$( cat /sys/module/ipv6/parameters/disable )
	if [ "$IPV6_STATE" == "0" ]; then
		return 0
	else
		return 1
	fi
}

iptrules_on () {
	iptrules_off
	$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
	$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
	if enabled_ipv6; then
		$IP6TABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination [::1]:$PROXY_PORT
		$IP6TABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination [::1]:$PROXY_PORT
	fi
}

iptrules_off () {
	iptrules_off_helper "tcp"
	iptrules_off_helper "udp"
	if enabled_ipv6; then
		ip6trules_off_helper "tcp"
		ip6trules_off_helper "udp"
	fi
}

iptrules_off_helper () {
	IPP=$1
	
	while $IPTABLES -n -t nat -L OUTPUT | grep -q "DNAT.*$IPP.*dpt:53.*to:127.0.0.1:$PROXY_PORT" ; do
		$IPTABLES -t nat -D OUTPUT -p $IPP --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
	done
}

ip6trules_off_helper () {
        IPP=$1

        while $IP6TABLES -n -t nat -L OUTPUT | grep -q "DNAT.*$IPP.*dpt:53.*to:\[::1\]:$PROXY_PORT" ; do
                $IP6TABLES -t nat -D OUTPUT -p $IPP --dport 53 -j DNAT --to-destination [::1]:$PROXY_PORT
        done
}

##
## If executed manually via command line, the system properties need
## to be set as well
##
set_prop() {
  PROP_STATE=$( getprop persist.privacy.dnscrypt )
  if [ "$PROP_STATE" != "$1" ]; then
      setprop persist.privacy.dnscrypt $1
  fi
}

do_start () {
	iptrules_on
	set_prop 1
}

do_stop () {    
	iptrules_off
	set_prop 0
}

case "$1" in
  start)
        do_start 
        ;;
  stop)
        do_stop
        ;;
  *)
        echo "Usage: {start|stop}" >&2
        exit 1
        ;;
esac

exit 0