Last active
May 1, 2021 07:56
-
-
Save sixg0000d/329f4e8ebe3fe06364d5c6243693aa01 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/fish | |
switch (id -u) | |
case 0 | |
dnf install -y xmlstarlet | |
case "*" | |
sudo dnf install -y xmlstarlet | |
end | |
set goog_json (curl -sL https://www.gstatic.com/ipranges/goog.json | string collect) | |
set google_ipv4 (echo $goog_json | jq --raw-output '.prefixes[] | [.ipv4Prefix][] | select(. != null)') | |
set google_ipv6 (echo $goog_json | jq --raw-output '.prefixes[] | [.ipv6Prefix][] | select(. != null)') | |
set policy_1 /etc/firewalld/policies/reject-google-ipv4.xml | |
echo -e '<?xml version="1.0" encoding="utf-8"?>\n<policy/>' >$policy_1 | |
xmlstarlet ed -L \ | |
-s /policy -t attr -n target -v CONTINUE \ | |
-s /policy -t attr -n priority -v -10 \ | |
-s /policy -t elem -n ingress-zone \ | |
-s /policy -t elem -n egress-zone \ | |
-s /policy -t elem -n short -v "Reject google IPv4" \ | |
-s /policy -t elem -n description -v "Reject google IPv4." \ | |
-s /policy/ingress-zone -t attr -n name -v HOST \ | |
-s /policy/egress-zone -t attr -n name -v ANY \ | |
$policy_1 | |
for cidr in $google_ipv4 | |
if [ (string match "8.8.*.*/*" $cidr) ] | |
continue | |
end | |
xmlstarlet ed -L \ | |
-s /policy -t elem -n rule \ | |
-s "/policy/rule[last()]" -t attr -n family -v ipv4 \ | |
-s "/policy/rule[last()]" -t elem -n destination \ | |
-s "/policy/rule[last()]" -t elem -n reject \ | |
-s "/policy/rule[last()]/destination" -t attr -n address -v $cidr \ | |
$policy_1 | |
end | |
set policy_2 /etc/firewalld/policies/accept-google-ipv6.xml | |
echo -e '<?xml version="1.0" encoding="utf-8"?>\n<policy/>' >$policy_2 | |
xmlstarlet ed -L \ | |
-s /policy -t attr -n target -v REJECT \ | |
-s /policy -t attr -n priority -v -1 \ | |
-s /policy -t elem -n ingress-zone \ | |
-s /policy -t elem -n egress-zone \ | |
-s /policy -t elem -n short -v "Accept google IPv6" \ | |
-s /policy -t elem -n description -v "Reject IPv6 except google IPs, Accept all IPv4." \ | |
-s /policy/ingress-zone -t attr -n name -v HOST \ | |
-s /policy/egress-zone -t attr -n name -v ANY \ | |
-s /policy -t elem -n rule \ | |
-s "/policy/rule[last()]" -t attr -n family -v ipv4 \ | |
-s "/policy/rule[last()]" -t elem -n destination \ | |
-s "/policy/rule[last()]" -t elem -n accept \ | |
-s "/policy/rule[last()]/destination" -t attr -n address -v "0.0.0.0/0" \ | |
$policy_2 | |
for cidr in $google_ipv6 | |
xmlstarlet ed -L \ | |
-s /policy -t elem -n rule \ | |
-s "/policy/rule[last()]" -t attr -n family -v ipv6 \ | |
-s "/policy/rule[last()]" -t elem -n destination \ | |
-s "/policy/rule[last()]" -t elem -n accept \ | |
-s "/policy/rule[last()]/destination" -t attr -n address -v $cidr \ | |
$policy_2 | |
end | |
firewall-cmd --reload | |
curl -6 --silent --output /dev/null "https://www.google.com" | |
if test ! $status -eq 0 | |
exit 1 | |
end | |
curl -4 --silent --output /dev/null "https://www.yandex.com" | |
if test ! $status -eq 0 | |
exit 1 | |
end | |
curl -4 --silent --output /dev/null "https://www.google.com" | |
if test $status -eq 0 | |
exit 1 | |
end | |
curl -6 --silent --output /dev/null "https://www.yandex.com" | |
if test $status -eq 0 | |
exit 1 | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=config ipv6 | |
After=network.target network-online.target | |
[Service] | |
Type=oneshot | |
ExecStart=/usr/local/bin/he-ipv6.sh | |
[Install] | |
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# copy your he-ipv6 commands here: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
revert: