scripts/block_outgoing_http_https_traffic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update README and comment on script

Browse Source
This commit is contained in:
Gilles Mouchet 2025-10-08 18:32:12 +02:00
parent c3ce50d058
commit b907c66799
2 changed files with 43 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
README.md
View File

@ -3,16 +3,42 @@
Blocks all outgoing http and https traffic Blocks all outgoing http and https traffic
## Requirements ## Requirements
Server proxy Server `proxy` started
## Installation ## Installation
N/A ```bash
cp block_outgoing_http_https_traffic/stop-outgoing-traffic-http-https /usr/local/bin/.
chmod +x /usr/local/bin/stop-outgoing-traffic-http-https
```
## Usage ## Usage
sudo ./stop-output-traffic-http-https.sh ```bash
sudo ./stop-outgoing-traffic-http-https.sh
```
The script takes a few minutes to apply the rules The script takes a few minutes to apply the rules
The rules are not persitent. When you reboot the server, the nft rules are removed
### Test
#### Proxy on
```bash
sudo ./stop-output-traffic-http-https.sh
sudo proxyOnOff on
```
Please logout and then login again
```bash
curl -s -o /dev/null --max-time 2 -w "%{http_code}\n" https://gmodocs.dyndns.org
```
The command return code **200**
```bash
sudo proxyOnOff off
```
```bash
curl -s -o /dev/null --max-time 2 -w "%{http_code}\n" https://gmodocs.dyndns.org
```
The command return code **000** (timeout)
### Changelog ### Changelog
### [1.0.0] - 2025-09-17 ### [1.0.0] - 2025-09-17
#### Added #### Added
- set firewall rules - set firewall rules
#### Project initialization #### Project initialization
- initialization by [GMo](mailto:gilles.mouchet@gmail.com) - initialization by [GMo](mailto:gilles.mouchet@gmail.com)

28
stop-output-traffic-http-https.sh → stop-outgoing-traffic-http-https.sh
View File

@ -36,20 +36,20 @@ SSH_ALLOWED_IP="0.0.0.0/0" # Ajustez si vous voulez restreindre l'accès SSH e
# --------------------------------------------------- # ---------------------------------------------------
cat << EOF cat << EOF
**************************************************************************** ****************************************************************************
* To prevent handling errors, remove the 'exit' around line 55 * To prevent handling errors, remove the 'exit' around line 60
* pour prévenire les erreurs de manipulation, enlever le 'exit' * Pour prévenire les erreurs de manipulation, enlever le 'exit'
* vers la ligne 55 * vers la ligne 60
**************************************************************************** ****************************************************************************
EOF EOF
# Détection automatique de l'interface principale # auto-detect main interface
DEFAULT_IF=$(ip route | awk '/^default/ {print $5; exit}') DEFAULT_IF=$(ip route | awk '/^default/ {print $5; exit}')
# set proxy IP # set proxy IP
PROXY_IP=$(getent ahostsv4 $PROXY_NAME | awk '{print $1; exit}') PROXY_IP=$(getent ahostsv4 $PROXY_NAME | awk '{print $1; exit}')
# Détection du DNS utilisé # detection of DNS used
DNS_IP=$(awk '/^nameserver/ {print $2; exit}' /etc/resolv.conf) DNS_IP=$(awk '/^nameserver/ {print $2; exit}' /etc/resolv.conf)
# Résolution de ch.pool.ntp.org -> prend la première IP trouvée # resolving ch.pool.ntp.org -> takes the first IP found
NTP_IP=$(getent ahostsv4 $NTP_NAME | awk '{print $1; exit}') NTP_IP=$(getent ahostsv4 $NTP_NAME | awk '{print $1; exit}')
# Résolution de myhomecloud.gmotech.net # resolving myhomecloud.gmotech.net
CIFS_IP=$(getent ahostsv4 $MYCLOUD_NAME | awk '{print $1; exit}') CIFS_IP=$(getent ahostsv4 $MYCLOUD_NAME | awk '{print $1; exit}')
echo "[INFO] Interface réseau détectée : $DEFAULT_IF" echo "[INFO] Interface réseau détectée : $DEFAULT_IF"
@ -59,23 +59,23 @@ echo "[INFO] CIFS serveur résolu : $CIFS_IP"
## HERE ## HERE
exit exit
echo "[INFO] Sauvegarde de l'état nftables actuel" echo "[INFO] Saving the current state of nftables"
sudo nft list ruleset > "/root/nftables-backup-$(date +%Y%m%d-%H%M%S).txt" sudo nft list ruleset > "/root/nftables-backup-$(date +%Y%m%d-%H%M%S).txt"
echo "[INFO] Réinitialisation et création de la table" echo "[INFO] Resetting and creating the table"
sudo nft flush ruleset sudo nft flush ruleset
sudo nft add table inet filter sudo nft add table inet filter
# INPUT : SSH + established + icmp echo-reply # input : ssh + established + icmp echo-reply
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; } sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
sudo nft add rule inet filter input tcp dport 22 ip saddr $SSH_ALLOWED_IP accept sudo nft add rule inet filter input tcp dport 22 ip saddr $SSH_ALLOWED_IP accept
sudo nft add rule inet filter input ct state established,related accept sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input icmp type echo-reply accept # réponse ping sudo nft add rule inet filter input icmp type echo-reply accept # réponse ping
# OUTPUT : policy drop # output : policy drop
sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; } sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }
# Autorisations OUTPUT # autorisations output
sudo nft add rule inet filter output oif lo accept # Loopback sudo nft add rule inet filter output oif lo accept # Loopback
sudo nft add rule inet filter output tcp dport 22 accept # SSH sortant sudo nft add rule inet filter output tcp dport 22 accept # SSH sortant
sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT accept # Proxy sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT accept # Proxy
@ -88,7 +88,7 @@ sudo nft add rule inet filter output tcp dport 25 accept # SMTP
sudo nft add rule inet filter output tcp dport 587 accept # SMTP submission (587) sudo nft add rule inet filter output tcp dport 587 accept # SMTP submission (587)
sudo nft add rule inet filter output ct state established,related accept # Réponses aux connexions sudo nft add rule inet filter output ct state established,related accept # Réponses aux connexions
echo "[INFO] État final des règles nftables :" echo "[INFO] Final state of nftables rules :"
sudo nft list ruleset sudo nft list ruleset
echo "[INFO] Script terminé. Autorisé : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué." echo "[INFO] Script completed. Authorized. : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué."