scripts/block_outgoing_http_https_traffic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: scripts:master
Branches Tags
scripts:master
scripts:v1.0.0
..
compare: scripts:v1.0.0
Branches Tags
scripts:master
scripts:v1.0.0

No commits in common. "master" and "v1.0.0" have entirely different histories.
master ... v1.0.0

2 changed files with 17 additions and 43 deletions
Show Stats Expand all files Collapse all files

32
README.md
View File

@ -3,37 +3,12 @@
Blocks all outgoing http and https traffic Blocks all outgoing http and https traffic
## Requirements ## Requirements
Server `proxy` started Server proxy
## Installation ## Installation
```bash N/A
sudo cp block_outgoing_http_https_traffic/stop-outgoing-traffic-http-https.sh /usr/local/bin/.
sudo chmod +x /usr/local/bin/stop-outgoing-traffic-http-https.sh
```
## Usage ## Usage
```bash
sudo ./stop-outgoing-traffic-http-https.sh
```
The script takes a few minutes to apply the rules
The rules are not persitent. When you reboot the server, the nft rules are removed
### Test
#### Proxy on
```bash
sudo ./stop-output-traffic-http-https.sh sudo ./stop-output-traffic-http-https.sh
sudo proxyOnOff on The script takes a few minutes to apply the rules
```
Please logout and then login again
```bash
curl -s -o /dev/null --max-time 2 -w "%{http_code}\n" https://gmodocs.dyndns.org
```
The command return code **200**
```bash
sudo proxyOnOff off
```
```bash
curl -s -o /dev/null --max-time 2 -w "%{http_code}\n" https://gmodocs.dyndns.org
```
The command return code **000** (timeout)
### Changelog ### Changelog
### [1.0.0] - 2025-09-17 ### [1.0.0] - 2025-09-17
@ -41,4 +16,3 @@ The command return code **000** (timeout)
- set firewall rules - set firewall rules
#### Project initialization #### Project initialization
- initialization by [GMo](mailto:gilles.mouchet@gmail.com) - initialization by [GMo](mailto:gilles.mouchet@gmail.com)

28
stop-outgoing-traffic-http-https.sh → stop-output-traffic-http-https.sh
View File

@ -36,20 +36,20 @@ SSH_ALLOWED_IP="0.0.0.0/0" # Ajustez si vous voulez restreindre l'accès SSH e
# --------------------------------------------------- # ---------------------------------------------------
cat << EOF cat << EOF
**************************************************************************** ****************************************************************************
* To prevent handling errors, remove the 'exit' around line 60 * To prevent handling errors, remove the 'exit' around line 55
* Pour prévenire les erreurs de manipulation, enlever le 'exit' * pour prévenire les erreurs de manipulation, enlever le 'exit'
* vers la ligne 60 * vers la ligne 55
**************************************************************************** ****************************************************************************
EOF EOF
# auto-detect main interface # Détection automatique de l'interface principale
DEFAULT_IF=$(ip route | awk '/^default/ {print $5; exit}') DEFAULT_IF=$(ip route | awk '/^default/ {print $5; exit}')
# set proxy IP # set proxy IP
PROXY_IP=$(getent ahostsv4 $PROXY_NAME | awk '{print $1; exit}') PROXY_IP=$(getent ahostsv4 $PROXY_NAME | awk '{print $1; exit}')
# detection of DNS used # Détection du DNS utilisé
DNS_IP=$(awk '/^nameserver/ {print $2; exit}' /etc/resolv.conf) DNS_IP=$(awk '/^nameserver/ {print $2; exit}' /etc/resolv.conf)
# resolving ch.pool.ntp.org -> takes the first IP found # Résolution de ch.pool.ntp.org -> prend la première IP trouvée
NTP_IP=$(getent ahostsv4 $NTP_NAME | awk '{print $1; exit}') NTP_IP=$(getent ahostsv4 $NTP_NAME | awk '{print $1; exit}')
# resolving myhomecloud.gmotech.net # Résolution de myhomecloud.gmotech.net
CIFS_IP=$(getent ahostsv4 $MYCLOUD_NAME | awk '{print $1; exit}') CIFS_IP=$(getent ahostsv4 $MYCLOUD_NAME | awk '{print $1; exit}')
echo "[INFO] Interface réseau détectée : $DEFAULT_IF" echo "[INFO] Interface réseau détectée : $DEFAULT_IF"
@ -59,23 +59,23 @@ echo "[INFO] CIFS serveur résolu : $CIFS_IP"
## HERE ## HERE
exit exit
echo "[INFO] Saving the current state of nftables" echo "[INFO] Sauvegarde de l'état nftables actuel"
sudo nft list ruleset > "/root/nftables-backup-$(date +%Y%m%d-%H%M%S).txt" sudo nft list ruleset > "/root/nftables-backup-$(date +%Y%m%d-%H%M%S).txt"
echo "[INFO] Resetting and creating the table" echo "[INFO] Réinitialisation et création de la table"
sudo nft flush ruleset sudo nft flush ruleset
sudo nft add table inet filter sudo nft add table inet filter
# input : ssh + established + icmp echo-reply # INPUT : SSH + established + icmp echo-reply
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; } sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
sudo nft add rule inet filter input tcp dport 22 ip saddr $SSH_ALLOWED_IP accept sudo nft add rule inet filter input tcp dport 22 ip saddr $SSH_ALLOWED_IP accept
sudo nft add rule inet filter input ct state established,related accept sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input icmp type echo-reply accept # réponse ping sudo nft add rule inet filter input icmp type echo-reply accept # réponse ping
# output : policy drop # OUTPUT : policy drop
sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; } sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }
# autorisations output # Autorisations OUTPUT
sudo nft add rule inet filter output oif lo accept # Loopback sudo nft add rule inet filter output oif lo accept # Loopback
sudo nft add rule inet filter output tcp dport 22 accept # SSH sortant sudo nft add rule inet filter output tcp dport 22 accept # SSH sortant
sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT accept # Proxy sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT accept # Proxy
@ -88,7 +88,7 @@ sudo nft add rule inet filter output tcp dport 25 accept # SMTP
sudo nft add rule inet filter output tcp dport 587 accept # SMTP submission (587) sudo nft add rule inet filter output tcp dport 587 accept # SMTP submission (587)
sudo nft add rule inet filter output ct state established,related accept # Réponses aux connexions sudo nft add rule inet filter output ct state established,related accept # Réponses aux connexions
echo "[INFO] Final state of nftables rules :" echo "[INFO] État final des règles nftables :"
sudo nft list ruleset sudo nft list ruleset
echo "[INFO] Script completed. Authorized. : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué." echo "[INFO] Script terminé. Autorisé : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué."