scripts/block_outgoing_http_https_traffic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0.0

Browse Source
This commit is contained in:
Gilles Mouchet 2025-09-17 13:53:05 +02:00
parent 63a7e17e15
commit 15f86cafb4
8 changed files with 1785 additions and 301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1685
AI.txt Normal file
View File

File diff suppressed because it is too large Load Diff

4
LICENSE
View File

@ -1,4 +1,4 @@
Non-Commercial Use License [template.sh, install.sh] Non-Commercial Use License [stop-output-traffic-http-https.sh]
Copyright (c) [2025] [Gilles Mouchet] Copyright (c) [2025] [Gilles Mouchet]
@ -15,7 +15,7 @@ It is strictly prohibited to:
These scripts are provided "as is," without warranty of any kind. These scripts are provided "as is," without warranty of any kind.
----------------------------------------------------------------------------------------- -----------------------------------------------------------------------------------------
Licence dutilisation non commerciale [template.sh, install.sh] Licence dutilisation non commerciale [stop-output-traffic-http-https.sh]
Copyright (c) [2025] [Gilles Mouchet] Copyright (c) [2025] [Gilles Mouchet]

22
README.md
View File

@ -1,21 +1,17 @@
# Project Name # stop-output-traffic-http-https
TODO: Write a project description
Blocks all outgoing http and https traffic
## Requirements ## Requirements
TODO: Requirments Server proxy
## Installation ## Installation
TODO: Describe the installation process N/A
## Usage ## Usage
TODO: Write usage instructions ./stop-output-traffic-http-https.sh
### Changelog ### Changelog
### [1.0.0] - 2025-09-06 ### [1.0.0] - 2025-09-17
#### Added #### Added
- New features and functionality. - set firewall rules
#### Modified
- Changes to existing functionality (backwards compatible).
#### Fixed
- Bug fixes.
#### Removed
- Deprecated or removed features (breaking changes).
#### Project initialization #### Project initialization
- initialization by [GMo](mailto:gilles.mouchet@gmail.com) - initialization by [GMo](mailto:gilles.mouchet@gmail.com)

100
install.sh
View File

@ -1,100 +0,0 @@
#!/bin/bash
############################################################
# Decription: Install script
# Author: Gilles Mouchet (gilles.mouchet@gmail.com)
# Creation Date: 06-Sep-2025
# Version: 1.0
#
# Changelog:
# V1.0.0 - 06-Sep-2025 - GMo
# Added
# - Creation of script from scratch
#
############################################################
#-----------------------------------------------------------
# FUNCTIONS
#-----------------------------------------------------------
# Function installPacakege if needed
installPackage() {
packageName="$1"
echo "Installation of $packageName..."
case "$packageManager" in
apt)
sudo apt update && sudo apt install -y "$packageName"
;;
dnf)
sudo dnf install -y "$packageName"
;;
esac
if [ $? -eq 0 ]; then
echo "$packageName installed successfully"
else
echo "Error installing $packageName"
exit 1
fi
}
#-----------------------------------------------------------
# variables
fullScriptName=template.sh
shortScriptName=`echo $fullScriptName | sed -e 's|.*/||g' | cut -f1 -d.`
destPath=/usr/local/bin/
configFile=$shortScriptName.conf
configFilePath=/etc/$shortScriptName/
logRotateFile=$shortScriptName
logRotateFilePath=/etc/logrotate.d/$logRotateFile
# check if the effective user ID is 0 (root)
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root or with sudo."
exit 1
fi
# select packet manager if need to install package during install
packageManager=""
if command -v apt &> /dev/null; then
packageManager="apt"
elif command -v dnf &> /dev/null; then
packageManager="dnf"
else
echo "Erreur : No supported package managers (apt, dnf) were found."
exit 1
fi
echo "Package manager detected: $packageManager"
# check if logPath exist
if [ ! -d $configFilePath ]; then
mkdir $configFilePath &> /dev/null
rc=$?
if [ "$rc" != "0" ];then
echo "[ERROR] - An error occurred while creating $configFilePath ($rc)"
else echo "[SUCCESS] - The folder $configFilePath was created successfully."
fi
fi
# install package (example)
installPackage mutt &> /dev/null
# install script
cp $fullScriptName $destPath/. &> /dev/null
rc=$?
if [ "$rc" != "0" ];then
echo "[ERROR] - An error occurred while copying $fullScriptName to $destPath ($rc)"
else echo "[SUCCESS] - The script ${fullScriptName} to $destPath was copied successfully."
fi
# copy config file
cp $configFile $configFilePath &> /dev/null
rc=$?
if [ "$rc" != "0" ];then
echo "[ERROR] - An error occurred while copying $configFile to $configFilePath ($rc)"
else echo "[SUCCESS] - The script $configFile to $configFilepath was copied successfully."
fi
cp $logRotateFile.logrotate $logRotateFilePath &> /dev/null
rc=$?
if [ "$rc" != "0" ];then
echo "[ERROR] - An error occurred while copying $logRotateFile.logrotate to $logRotateFilePath ($rc)"
else echo "[SUCCESS] - The script $logRotateFile.logrotate to $logRotateFilePath was copied successfully."
fi
echo "Installation completed."

89
stop-output-traffic-http-https.sh Executable file
View File

@ -0,0 +1,89 @@
#!/usr/bin/env bash
############################################################
# Decription: Active rule to block
# all http and https OUTPUT.
# To access http and https, you must use proxy
#
# Author: Gilles Mouchet (gilles.mouchet@gmail.com)
# Creation Date: 17-Sep-2025
# Version: 1.0.0
#
# Changelog:
# V1.0.0 - 17-Sep-2025 - GMo
# Added
# - Creation of script from scratch
#
############################################################
#-----------------------------------------------------------------
# DON'T CHANGE ANYTHING FROM HERE
#-----------------------------------------------------------------
version="1.0.0"
set -euo pipefail
# ---------------------- CONFIG ----------------------
PROXY_NAME="proxy.ville-geneve.ch"
PROXY_PORT="8080"
NTP_NAME="ch.pool.ntp.org"
MYCLOUD_NAME="myhomecloud.gmotech.net"
SSH_ALLOWED_IP="0.0.0.0/0" # Ajustez si vous voulez restreindre l'accès SSH entrant
# ---------------------------------------------------
cat << EOF
****************************************************************************
* To prevent handling errors, remove the 'exit' around line 55
* pour prévenire les erreurs de manipulation, enlever le 'exit'
* vers la ligne 55
****************************************************************************
EOF
# Détection automatique de l'interface principale
DEFAULT_IF=$(ip route | awk '/^default/ {print $5; exit}')
# set proxy IP
PROXY_IP=$(getent ahostsv4 $PROXY_NAME | awk '{print $1; exit}')
# Détection du DNS utilisé
DNS_IP=$(awk '/^nameserver/ {print $2; exit}' /etc/resolv.conf)
# Résolution de ch.pool.ntp.org -> prend la première IP trouvée
NTP_IP=$(getent ahostsv4 $NTP_NAME | awk '{print $1; exit}')
# Résolution de myhomecloud.gmotech.net
CIFS_IP=$(getent ahostsv4 $MYCLOUD_NAME | awk '{print $1; exit}')
echo "[INFO] Interface réseau détectée : $DEFAULT_IF"
echo "[INFO] DNS détecté : $DNS_IP"
echo "[INFO] NTP résolu : $NTP_IP"
echo "[INFO] CIFS serveur résolu : $CIFS_IP"
## HERE
exit
echo "[INFO] Sauvegarde de l'état nftables actuel"
sudo nft list ruleset > "/root/nftables-backup-$(date +%Y%m%d-%H%M%S).txt"
echo "[INFO] Réinitialisation et création de la table"
sudo nft flush ruleset
sudo nft add table inet filter
# INPUT : SSH + established + icmp echo-reply
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
sudo nft add rule inet filter input tcp dport 22 ip saddr $SSH_ALLOWED_IP accept
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input icmp type echo-reply accept # réponse ping
# OUTPUT : policy drop
sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }
# Autorisations OUTPUT
sudo nft add rule inet filter output oif lo accept # Loopback
sudo nft add rule inet filter output tcp dport 22 accept # SSH sortant
sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT accept # Proxy
sudo nft add rule inet filter output ip daddr $DNS_IP udp dport 53 accept # DNS UDP
sudo nft add rule inet filter output ip daddr $DNS_IP tcp dport 53 accept # DNS TCP
sudo nft add rule inet filter output ip daddr $NTP_IP udp dport 123 accept # NTP
sudo nft add rule inet filter output ip daddr $CIFS_IP tcp dport 445 accept # CIFS/SMB
sudo nft add rule inet filter output icmp type echo-request accept # ping sortant
sudo nft add rule inet filter output tcp dport 25 accept # SMTP (port 25)
sudo nft add rule inet filter output tcp dport 587 accept # SMTP submission (587)
sudo nft add rule inet filter output ct state established,related accept # Réponses aux connexions
echo "[INFO] État final des règles nftables :"
sudo nft list ruleset
echo "[INFO] Script terminé. Autorisé : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué."

3
template.conf
View File

@ -1,3 +0,0 @@
# mail recipient
msgRecipient=exploit.gmotech@gmail.com

8
template.logrotate
View File

@ -1,8 +0,0 @@
/var/log/template/template.log {
daily
rotate 7
compress
missingok
notifempty
create 644 root root
}

175
template.sh
View File

@ -1,175 +0,0 @@
#!/bin/bash
############################################################
# Decription: Template script
# Author: Gilles Mouchet (gilles.mouchet@gmail.com)
# Creation Date: 06-Sep-2025
# Version: 1.0.0
#
# Changelog:
# V1.0.0 - 25-Sep-2025 - GMo
# Added
# - Creation of script from scratch
#
############################################################
#-----------------------------------------------------------------
# DON'T CHANGE ANYTHING FROM HERE
#-----------------------------------------------------------------
version="1.0.0"
mailSubject="[SUCCESS] - script result on `hostname`"
mailHeader="my_hdr From: GMO Check System <exploit.gmotech@gmail.com>"
mailBody=""
mailFooter="\n\nTemplate script $version by Exploit GMoTech"
tmpFile=/tmp/list.txt
#-----------------------------------------------------------
# FUNCTIONS
#-----------------------------------------------------------
function usage() {
cat << EOF
Usage: ./$(basename "$0") options
Template script
Options:
-p, --param - display parameters
-h, --help - display this help
-v, --version - display script version
EOF
}
#-----------------------------------------------------------
function sendMail() {
if [ -f "$tmpFile" ];then
echo -e "$mailBody $mailFooter" | mutt -e "$mailHeader" -s "${mailSubject}" $msgRecipient -a $tmpFile
else
echo -e "$mailBody $mailFooter" | mutt -e "$mailHeader" -s "${mailSubject}" $msgRecipient
fi
}
#-----------------------------------------------------------
# Function write log in file log
# parameter
# $1 define entry type (info, warning, error)
# $2 define text
# $3 define display on screen or not (nothing=no, 1=yes)
function log() {
if [ -z "$3" ]; then
displayScreen=0
else displayScreen=1
fi
case "$1" in
I)
logType="[info]"
;;
W)
logType="[warning]"
;;
E)
logType="[error]"
;;
esac
# on screen and logfile
#echo "$(date "+%Y-%m-%d")-$(date "+%H:%M:%S") - $logType - $2" | tee -a "$logFile"
#echo "[$(date "+%Y-%m-%d")-$(date "+%H:%M:%S")] - $logType - $2" >> "$logFile"
# true to display screen to
if [ "${displayScreen}" -eq 1 ];then
echo "[$(date "+%Y-%m-%d")-$(date "+%H:%M:%S")] - $logType - $2" | tee -a "$logFile"
else
echo "[$(date "+%Y-%m-%d")-$(date "+%H:%M:%S")] - $logType - $2" >> "$logFile"
fi
}
#-----------------------------------------------------------
# MAIN
#-----------------------------------------------------------
# check if the effective user ID is 0 (root)
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root or with sudo."
exit 1
fi
# config
progName=`echo $0 | sed -e 's|.*/||g' | cut -f1 -d.`
confDir=/etc/$progName
cfgFile=$confDir/$progName.conf
logPath=/var/log/$progName
logFile=$logPath/$progName.log
# check if conf file or passphrase file exist
if [ ! -f $cfgFile ]; then
echo "$progName not installed correctly. Please run install.sh script"
exit 1
fi
# read config file
. $cfgFile
log I "script start" 1
# check if logPath exist
if [ ! -d $logPath ]; then
mkdir $logPath
fi
# check param exist. Uncomment if your script need parameters
#if [ -z "$1" ]; then
# usage
# exit
#fi
while [[ "$#" -gt 0 ]]; do
case "$1" in
-p|--param)
cat << EOF
-------------------------------------------------------------------------------
Parameters
-------------------------------------------------------------------------------
Defined in script
-------------------------------------------------------------------------------
script name: $progName
config folder: $confDir
config file: $cfgFile
log path: $logPath
log file: $logFile
-------------------------------------------------------------------------------
Defined in $cfgFile
-------------------------------------------------------------------------------
message recipient: $msgRecipient
EOF
exit
;;
version|-v|--version)
cat << EOF
$(basename "$0") v$version (c) 1990 - $(date +%Y) by Gilles Mouchet
Non-Commercial Use License See LICENSE for details
EOF
exit
;;
# must be in the last block of the case because of *
*|help|-h|--help)
usage
exit
;;
esac
shift
done
# success message
log I "send a success message" 1
mailSubject="[SUCCESS] - script result on `hostname`"
mailBody=" This is a success test mail\nHave a good day"
sendMail
# warnig message
log W "send a warning message" 1
mailSubject="[WARNING] - script result on `hostname`"
mailBody=" This is a warning test mail\nHave a good day"
sendMail
# error message
log E "send an error message" 1
cat << EOF > $tmpFile
This file contain the description error
or log file
EOF
mailSubject="[ERROR] - script result on `hostname`"
mailBody=" This is a warning test mail\nHave a good day"
sendMail
rm -rf $tmpFile