#!/usr/bin/env bash ############################################################ # Decription: Active rule to block # all http and https OUTPUT. # To access http and https, you must use proxy # # Author: Gilles Mouchet (gilles.mouchet@gmail.com) # Creation Date: 17-Sep-2025 # Version: 1.0.0 # # Changelog: # V1.0.0 - 17-Sep-2025 - GMo # Added # - Creation of script from scratch # ############################################################ #----------------------------------------------------------------- # DON'T CHANGE ANYTHING FROM HERE #----------------------------------------------------------------- version="1.0.0" set -euo pipefail # ---------------------- CONFIG ---------------------- PROXY_NAME="proxy.ville-geneve.ch" PROXY_PORT="8080" NTP_NAME="ch.pool.ntp.org" MYCLOUD_NAME="myhomecloud.gmotech.net" SSH_ALLOWED_IP="0.0.0.0/0" # Ajustez si vous voulez restreindre l'accès SSH entrant # --------------------------------------------------- cat << EOF **************************************************************************** * To prevent handling errors, remove the 'exit' around line 55 * pour prévenire les erreurs de manipulation, enlever le 'exit' * vers la ligne 55 **************************************************************************** EOF # Détection automatique de l'interface principale DEFAULT_IF=$(ip route | awk '/^default/ {print $5; exit}') # set proxy IP PROXY_IP=$(getent ahostsv4 $PROXY_NAME | awk '{print $1; exit}') # Détection du DNS utilisé DNS_IP=$(awk '/^nameserver/ {print $2; exit}' /etc/resolv.conf) # Résolution de ch.pool.ntp.org -> prend la première IP trouvée NTP_IP=$(getent ahostsv4 $NTP_NAME | awk '{print $1; exit}') # Résolution de myhomecloud.gmotech.net CIFS_IP=$(getent ahostsv4 $MYCLOUD_NAME | awk '{print $1; exit}') echo "[INFO] Interface réseau détectée : $DEFAULT_IF" echo "[INFO] DNS détecté : $DNS_IP" echo "[INFO] NTP résolu : $NTP_IP" echo "[INFO] CIFS serveur résolu : $CIFS_IP" ## HERE exit echo "[INFO] Sauvegarde de l'état nftables actuel" sudo nft list ruleset > "/root/nftables-backup-$(date +%Y%m%d-%H%M%S).txt" echo "[INFO] Réinitialisation et création de la table" sudo nft flush ruleset sudo nft add table inet filter # INPUT : SSH + established + icmp echo-reply sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; } sudo nft add rule inet filter input tcp dport 22 ip saddr $SSH_ALLOWED_IP accept sudo nft add rule inet filter input ct state established,related accept sudo nft add rule inet filter input icmp type echo-reply accept # réponse ping # OUTPUT : policy drop sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; } # Autorisations OUTPUT sudo nft add rule inet filter output oif lo accept # Loopback sudo nft add rule inet filter output tcp dport 22 accept # SSH sortant sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT accept # Proxy sudo nft add rule inet filter output ip daddr $DNS_IP udp dport 53 accept # DNS UDP sudo nft add rule inet filter output ip daddr $DNS_IP tcp dport 53 accept # DNS TCP sudo nft add rule inet filter output ip daddr $NTP_IP udp dport 123 accept # NTP sudo nft add rule inet filter output ip daddr $CIFS_IP tcp dport 445 accept # CIFS/SMB sudo nft add rule inet filter output icmp type echo-request accept # ping sortant sudo nft add rule inet filter output tcp dport 25 accept # SMTP (port 25) sudo nft add rule inet filter output tcp dport 587 accept # SMTP submission (587) sudo nft add rule inet filter output ct state established,related accept # Réponses aux connexions echo "[INFO] État final des règles nftables :" sudo nft list ruleset echo "[INFO] Script terminé. Autorisé : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué."