block_outgoing_http_https_t.../stop-outgoing-traffic-http-https.sh

#!/usr/bin/env bash
############################################################
# Decription: Active rule to block
#             all http and https OUTPUT.
#             To access http and https, you must use proxy
#
# Author: Gilles Mouchet (gilles.mouchet@gmail.com)
# Creation Date: 17-Sep-2025
# Version: 1.0.0
#
# Changelog:
#    V1.0.0 - 17-Sep-2025 - GMo
#      Added
#      - Creation of script from scratch
#
############################################################

#-----------------------------------------------------------------
# DON'T CHANGE ANYTHING FROM HERE
#-----------------------------------------------------------------
version="1.0.0"

set -euo pipefail

# check if the effective user ID is 0 (root)
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root or with sudo."
   exit 1
fi
# ---------------------- CONFIG ----------------------
PROXY_NAME="proxy.ville-geneve.ch"
PROXY_PORT="8080"
NTP_NAME="ch.pool.ntp.org"
MYCLOUD_NAME="myhomecloud.gmotech.net"
SSH_ALLOWED_IP="0.0.0.0/0"   # Ajustez si vous voulez restreindre l'accès SSH entrant
# ---------------------------------------------------
cat << EOF
****************************************************************************
* To prevent handling errors, remove the 'exit' around line 60
* Pour prévenire les erreurs de manipulation, enlever le 'exit'
* vers la ligne 60
****************************************************************************
EOF
# auto-detect main interface
DEFAULT_IF=$(ip route | awk '/^default/ {print $5; exit}')
# set proxy IP
PROXY_IP=$(getent ahostsv4 $PROXY_NAME | awk '{print $1; exit}')
# detection of DNS used
DNS_IP=$(awk '/^nameserver/ {print $2; exit}' /etc/resolv.conf)
# resolving ch.pool.ntp.org -> takes the first IP found
NTP_IP=$(getent ahostsv4 $NTP_NAME | awk '{print $1; exit}')
# resolving myhomecloud.gmotech.net
CIFS_IP=$(getent ahostsv4 $MYCLOUD_NAME | awk '{print $1; exit}')

echo "[INFO] Interface réseau détectée : $DEFAULT_IF"
echo "[INFO] DNS détecté : $DNS_IP"
echo "[INFO] NTP résolu : $NTP_IP"
echo "[INFO] CIFS serveur résolu : $CIFS_IP"
## HERE
exit

echo "[INFO] Saving the current state of nftables"
sudo nft list ruleset > "/root/nftables-backup-$(date +%Y%m%d-%H%M%S).txt"

echo "[INFO] Resetting and creating the table"
sudo nft flush ruleset
sudo nft add table inet filter

# input : ssh + established + icmp echo-reply
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
sudo nft add rule inet filter input tcp dport 22 ip saddr $SSH_ALLOWED_IP accept
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input icmp type echo-reply accept   # réponse ping

# output : policy drop
sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }

# autorisations output
sudo nft add rule inet filter output oif lo accept                        # Loopback
sudo nft add rule inet filter output tcp dport 22 accept                  # SSH sortant
sudo nft add rule inet filter output ip daddr $PROXY_IP tcp dport $PROXY_PORT accept  # Proxy
sudo nft add rule inet filter output ip daddr $DNS_IP udp dport 53 accept # DNS UDP
sudo nft add rule inet filter output ip daddr $DNS_IP tcp dport 53 accept # DNS TCP
sudo nft add rule inet filter output ip daddr $NTP_IP udp dport 123 accept # NTP
sudo nft add rule inet filter output ip daddr $CIFS_IP tcp dport 445 accept # CIFS/SMB
sudo nft add rule inet filter output icmp type echo-request accept        # ping sortant
sudo nft add rule inet filter output tcp dport 25 accept                  # SMTP (port 25)
sudo nft add rule inet filter output tcp dport 587 accept                 # SMTP submission (587)
sudo nft add rule inet filter output ct state established,related accept  # Réponses aux connexions

echo "[INFO] Final state of nftables rules :"
sudo nft list ruleset

echo "[INFO] Script completed. Authorized. : loopback, proxy, DNS, NTP, SSH, CIFS, ping et SMTP (25,587). Tout le reste est bloqué."