From b907c667990ccc03b0ff05304eaff2de43b18517 Mon Sep 17 00:00:00 2001
From: Gilles Mouchet <gilles.mouchet@gmail.com>
Date: Wed, 8 Oct 2025 18:32:12 +0200
Subject: [PATCH] update README and comment on script

---
 README.md                                     | 32 +++++++++++++++++--
 ....sh => stop-outgoing-traffic-http-https.sh | 28 ++++++++--------
 2 files changed, 43 insertions(+), 17 deletions(-)
 rename stop-output-traffic-http-https.sh => stop-outgoing-traffic-http-https.sh (82%)

diff --git a/README.md b/README.md
index 569d9be..9c7d6cc 100644
--- a/README.md
+++ b/README.md
@@ -3,16 +3,42 @@
 Blocks all outgoing http and https traffic
 
 ## Requirements
-Server proxy
+Server `proxy` started
 ## Installation
-N/A
+```bash
+cp block_outgoing_http_https_traffic/stop-outgoing-traffic-http-https /usr/local/bin/.
+chmod +x /usr/local/bin/stop-outgoing-traffic-http-https
+```
 ## Usage
-sudo ./stop-output-traffic-http-https.sh
+```bash
+sudo ./stop-outgoing-traffic-http-https.sh
+```
 The script takes a few minutes to apply the rules
 
+The rules are not persitent. When you reboot the server, the nft rules are removed
+### Test
+#### Proxy on
+```bash
+sudo ./stop-output-traffic-http-https.sh
+sudo proxyOnOff on
+```
+Please logout and then login again
+```bash
+curl -s -o /dev/null --max-time 2 -w "%{http_code}\n" https://gmodocs.dyndns.org
+```
+The command return code **200**
+```bash
+sudo proxyOnOff off
+```
+```bash
+curl -s -o /dev/null --max-time 2 -w "%{http_code}\n" https://gmodocs.dyndns.org
+```
+The command return code **000** (timeout)
+
 ### Changelog
 ### [1.0.0] - 2025-09-17
 #### Added
 - set firewall rules
 #### Project initialization
 - initialization by [GMo](mailto:gilles.mouchet@gmail.com)
+
diff --git a/stop-output-traffic-http-https.sh b/stop-outgoing-traffic-http-https.sh
similarity index 82%
rename from stop-output-traffic-http-https.sh
rename to stop-outgoing-traffic-http-https.sh
index 42bde20..67a0080 100755
--- a/stop-output-traffic-http-https.sh
+++ b/stop-outgoing-traffic-http-https.sh
@@ -36,20 +36,20 @@ SSH_ALLOWED_IP="0.0.0.0/0"   # Ajustez si vous voulez restreindre l'accès SSH e
 # ---------------------------------------------------
 cat << EOF
 ****************************************************************************
-* To prevent handling errors, remove the 'exit' around line 55
-* pour prévenire les erreurs de manipulation, enlever le 'exit' 
-* vers la ligne 55
+* To prevent handling errors, remove the 'exit' around line 60
+* Pour prévenire les erreurs de manipulation, enlever le 'exit' 
+* vers la ligne 60
 ****************************************************************************
 EOF
-# Détection automatique de l'interface principale
+# auto-detect main interface
 DEFAULT_IF=$(ip route | awk '/^default/ {print $5; exit}')
 # set proxy IP
 PROXY_IP=$(getent ahostsv4 $PROXY_NAME | awk '{print $1; exit}')
-# Détection du DNS utilisé
+# detection of DNS used
 DNS_IP=$(awk '/^nameserver/ {print $2; exit}' /etc/resolv.conf)
-# Résolution de ch.pool.ntp.org -> prend la première IP trouvée
+# resolving ch.pool.ntp.org -> takes the first IP found
 NTP_IP=$(getent ahostsv4 $NTP_NAME | awk '{print $1; exit}')
-# Résolution de myhomecloud.gmotech.net
+# resolving myhomecloud.gmotech.net
 CIFS_IP=$(getent ahostsv4 $MYCLOUD_NAME | awk '{print $1; exit}')
 
 echo "[INFO] Interface réseau détectée : $DEFAULT_IF"
@@ -59,23 +59,23 @@ echo "[INFO] CIFS serveur résolu : $CIFS_IP"
 ## HERE
 exit
 
-echo "[INFO] Sauvegarde de l'état nftables actuel"
+echo "[INFO] Saving the current state of nftables"
 sudo nft list ruleset > "/root/nftables-backup-$(date +%Y%m%d-%H%M%S).txt"
 
-echo "[INFO] Réinitialisation et création de la table"
+echo "[INFO] Resetting and creating the table"
 sudo nft flush ruleset
 sudo nft add table inet filter
 
-# INPUT : SSH + established + icmp echo-reply
+# input : ssh + established + icmp echo-reply
 sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
 sudo nft add rule inet filter input tcp dport 22 ip saddr $SSH_ALLOWED_IP accept
 sudo nft add rule inet filter input ct state established,related accept
 sudo nft add rule inet filter input icmp type echo-reply accept   # réponse ping
 
-# OUTPUT : policy drop
+# output : policy drop
 sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }
 
-# Autorisations OUTPUT
+# autorisations output
 sudo nft add rule inet filter output oif lo accept                        # Loopback
 sudo nft add rule inet filter output tcp dport 22 accept                  # SSH sortant
 sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT accept  # Proxy
@@ -88,7 +88,7 @@ sudo nft add rule inet filter output tcp dport 25 accept                  # SMTP
 sudo nft add rule inet filter output tcp dport 587 accept                 # SMTP submission (587)
 sudo nft add rule inet filter output ct state established,related accept  # Réponses aux connexions
 
-echo "[INFO] État final des règles nftables :"
+echo "[INFO] Final state of nftables rules :"
 sudo nft list ruleset
 
-echo "[INFO] Script terminé. Autorisé : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué."
\ No newline at end of file
+echo "[INFO] Script completed. Authorized. : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué."
\ No newline at end of file