-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup.sh
executable file
·64 lines (48 loc) · 1.6 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/bin/bash
RUN_DIR=/var/run/1-1e100
# name or UID of user that run the proxy
# may specify a numerical UID range to add additional
# users that can bypass all filtering
WHITELIST_USERS_UID="1001" #1002-1003"
GOOGLE_IP_FILE="google-ips.txt"
function usage(){
echo -e "\n$0 [start|stop]\n\n"
}
function do_start(){
ipset create googleips hash:net
cat $GOOGLE_IP_FILE | grep -v '^#' | while read cidr; do
echo $cidr
ipset add googleips $cidr
done
iptables -A OUTPUT -m owner --uid-owner $WHITELIST_USERS_UID -j ACCEPT
iptables -t nat -A OUTPUT -m owner ! --uid-owner $WHITELIST_USERS_UID -m set --match-set googleips dst -p tcp --dport 443 -j REDIRECT --to-ports 4432
iptables -t nat -A OUTPUT -m owner ! --uid-owner $WHITELIST_USERS_UID -m set --match-set googleips dst -p tcp --dport 80 -j REDIRECT --to-ports 4432
iptables -A OUTPUT -m set --match-set googleips dst -j REJECT
}
function do_stop(){
iptables -D OUTPUT -m set --match-set googleips dst -j REJECT
iptables -t nat -D OUTPUT -m owner ! --uid-owner $WHITELIST_USERS_UID -m set --match-set googleips dst -p tcp --dport 80 -j REDIRECT --to-ports 4432
iptables -t nat -D OUTPUT -m owner ! --uid-owner $WHITELIST_USERS_UID -m set --match-set googleips dst -p tcp --dport 443 -j REDIRECT --to-ports 4432
iptables -D OUTPUT -m owner --uid-owner $WHITELIST_USERS_UID -j ACCEPT
if ipset -q test googleips 8.8.8.8 ; then
ipset destroy googleips
fi
}
if [ -z "$1" ] ; then
usage
exit 0
fi
case $1 in
start)
do_start
;;
stop)
do_stop
;;
*)
echo "Invalid option: $1"
usage
exit 1
;;
esac
exit 0