Skip to content

Instantly share code, notes, and snippets.

@sixg0000d
Last active May 1, 2021 07:56
Show Gist options
  • Save sixg0000d/329f4e8ebe3fe06364d5c6243693aa01 to your computer and use it in GitHub Desktop.
Save sixg0000d/329f4e8ebe3fe06364d5c6243693aa01 to your computer and use it in GitHub Desktop.
#!/usr/bin/fish
switch (id -u)
case 0
dnf install -y xmlstarlet
case "*"
sudo dnf install -y xmlstarlet
end
set goog_json (curl -sL https://www.gstatic.com/ipranges/goog.json | string collect)
set google_ipv4 (echo $goog_json | jq --raw-output '.prefixes[] | [.ipv4Prefix][] | select(. != null)')
set google_ipv6 (echo $goog_json | jq --raw-output '.prefixes[] | [.ipv6Prefix][] | select(. != null)')
set policy_1 /etc/firewalld/policies/reject-google-ipv4.xml
echo -e '<?xml version="1.0" encoding="utf-8"?>\n<policy/>' >$policy_1
xmlstarlet ed -L \
-s /policy -t attr -n target -v CONTINUE \
-s /policy -t attr -n priority -v -10 \
-s /policy -t elem -n ingress-zone \
-s /policy -t elem -n egress-zone \
-s /policy -t elem -n short -v "Reject google IPv4" \
-s /policy -t elem -n description -v "Reject google IPv4." \
-s /policy/ingress-zone -t attr -n name -v HOST \
-s /policy/egress-zone -t attr -n name -v ANY \
$policy_1
for cidr in $google_ipv4
if [ (string match "8.8.*.*/*" $cidr) ]
continue
end
xmlstarlet ed -L \
-s /policy -t elem -n rule \
-s "/policy/rule[last()]" -t attr -n family -v ipv4 \
-s "/policy/rule[last()]" -t elem -n destination \
-s "/policy/rule[last()]" -t elem -n reject \
-s "/policy/rule[last()]/destination" -t attr -n address -v $cidr \
$policy_1
end
set policy_2 /etc/firewalld/policies/accept-google-ipv6.xml
echo -e '<?xml version="1.0" encoding="utf-8"?>\n<policy/>' >$policy_2
xmlstarlet ed -L \
-s /policy -t attr -n target -v REJECT \
-s /policy -t attr -n priority -v -1 \
-s /policy -t elem -n ingress-zone \
-s /policy -t elem -n egress-zone \
-s /policy -t elem -n short -v "Accept google IPv6" \
-s /policy -t elem -n description -v "Reject IPv6 except google IPs, Accept all IPv4." \
-s /policy/ingress-zone -t attr -n name -v HOST \
-s /policy/egress-zone -t attr -n name -v ANY \
-s /policy -t elem -n rule \
-s "/policy/rule[last()]" -t attr -n family -v ipv4 \
-s "/policy/rule[last()]" -t elem -n destination \
-s "/policy/rule[last()]" -t elem -n accept \
-s "/policy/rule[last()]/destination" -t attr -n address -v "0.0.0.0/0" \
$policy_2
for cidr in $google_ipv6
xmlstarlet ed -L \
-s /policy -t elem -n rule \
-s "/policy/rule[last()]" -t attr -n family -v ipv6 \
-s "/policy/rule[last()]" -t elem -n destination \
-s "/policy/rule[last()]" -t elem -n accept \
-s "/policy/rule[last()]/destination" -t attr -n address -v $cidr \
$policy_2
end
firewall-cmd --reload
curl -6 --silent --output /dev/null "https://www.google.com"
if test ! $status -eq 0
exit 1
end
curl -4 --silent --output /dev/null "https://www.yandex.com"
if test ! $status -eq 0
exit 1
end
curl -4 --silent --output /dev/null "https://www.google.com"
if test $status -eq 0
exit 1
end
curl -6 --silent --output /dev/null "https://www.yandex.com"
if test $status -eq 0
exit 1
end
[Unit]
Description=config ipv6
After=network.target network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/he-ipv6.sh
[Install]
WantedBy=multi-user.target
#!/bin/sh
# copy your he-ipv6 commands here:
@sixg0000d
Copy link
Author

revert:

rm /etc/firewalld/policies/reject-google-ipv4.xml
rm /etc/firewalld/policies/accept-google-ipv6.xml
firewall-cmd --reload

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment