开机sh

1. init.rc 里添加服务

service ips  /system/bin/ips.sh
    user root
    group root
    disabled
    oneshot
    
on property:sys.boot_completed=1
    start  ips

或者

service iptable  /system/bin/ips.sh

    class main
    user root
    group root
    oneshot
    

2.写shell脚本，比如

#!/system/bin/sh
#!/system/bin/sh
ipts -w -I INPUT -m limit --limit 50/s -j ACCEPT
ipas -w -I INPUT -j DROP
ipbles -w -I OUTPUT -m limit --limit 50/s -j ACCEPT
tables -w -I OUTPUT -j DROP

3.添加selinux权限

3.1    新建te

type ips, domain;
type ips_exec, exec_type, file_type;
init_daemon_domain(ips)    


allow ips proc:file { open read setattr getattr ioctl write};
allow ips ips:rawip_socket { create getopt setopt };
allow ips shell_exec:file { execute read open execute_no_trans getattr };
allow ips system_file:file execute_no_trans;
allow ips ips:capability { net_raw net_admin };
allow ips proc_net:file { read open getattr };

3.2

filecontext添加

/system/bin/ips.sh            u:object_r:ips_exec:s0