#!/bin/bash KSUSER=justme VPNIF=$1 NETIF=$(ip route list | awk '/^default/ {print $5}') LAN=`ip -o -f inet addr show $NETIF | awk '{print $4}'` function clear_ks { sed "/^666.*/d" -i /etc/iproute2/rt_tables iptables -F -t mangle iptables -F -t nat iptables -F -t filter if [[ `ip rule list | grep -c 0x666` == 1 ]]; then ip rule del from all fwmark 0x666 2>/dev/null fi sysctl -qw net.ipv6.conf.all.disable_ipv6=0 sysctl -qw net.ipv6.conf.default.disable_ipv6=0 sysctl -qw net.ipv6.conf.lo.disable_ipv6=0 } IPT=`command -v iptables` if [ -z "$IPT" ]; then echo "Error: Can't find iptables" exit fi if [[ "$script_type" == "down" ]]; then clear_ks echo "Kill switch disabled for $KSUSER." exit fi ip rule list | grep -c 0x666 2>/dev/null 1>/dev/null if [ $? == 0 ] && [ -z "$foreign_option_1" ]; then read -rp "Do you want to turn off the kill switch? [Y/n]" idunno idunno=${idunno,,} if [[ $idunno =~ ^(yes|y|^$) ]]; then clear_ks echo "Kill switch disabled for $KSUSER." exit fi fi if [ $? == 0 ] && [ ! -z "$foreign_option_1" ]; then clear_ks fi id $KSUSER 2>/dev/null > /dev/null if [ $? != 0 ]; then echo "Error: The user \"$KSUSER\" doesn't exist." echo "" echo "You need to change the KSUSER=$KSUSER line at the top of this script" echo "where \"$KSUSER\" is the user you want to to apply the killswitch on." echo "Be sure to add that user if it doesn't already exist." exit fi # Get DNS IP from OpenVPN DNSIP=`echo $foreign_option_1|awk '{print $3}'` if [[ "$DNSIP" == "" ]]; then DNSIP=10.31.33.8 fi # make sure the tunnel interface is running ifconfig $VPNIF 2>/dev/null 1>/dev/null if [ $? != 0 ] || [[ "$VPNIF" == "" ]]; then echo "Error: tunnel interface doesn't appear to exist." echo "Are you sure OpenVPN is running?" exit fi # add route policy if it doesn't exist if ! grep "666 $KSUSER" /etc/iproute2/rt_tables 2>/dev/null 1>/dev/null; then echo "666 $KSUSER" >> /etc/iproute2/rt_tables fi # mark packets from $KSUSER, unless two/from $LAN iptables -t mangle -A OUTPUT ! --dest $LAN -m owner --uid-owner $KSUSER -j MARK --set-mark 0x666 iptables -t mangle -A OUTPUT ! --src $LAN -m owner --uid-owner $KSUSER -j MARK --set-mark 0x666 # allow responses iptables -A INPUT -i $VPNIF -m conntrack --ctstate ESTABLISHED -j ACCEPT # block everything incoming on $VPNIF iptables -A INPUT -i $VPNIF -j REJECT # send DNS to $DNSIP for $KSUSER iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner $KSUSER -j DNAT --to-destination $DNSIP iptables -t nat -A OUTPUT -p tcp --dport 53 -m owner --uid-owner $KSUSER -j DNAT --to-destination $DNSIP # let $KSUSER access lo and $VPNIF iptables -A OUTPUT -o lo -m owner --uid-owner $KSUSER -j ACCEPT iptables -A OUTPUT -o $VPNIF -m owner --uid-owner $KSUSER -j ACCEPT # all packets on $VPNIF need to be masqueraded iptables -t nat -A POSTROUTING -o $VPNIF -j MASQUERADE # reject connections from LAN going over $NETIF iptables -A OUTPUT ! --src $LAN -o $NETIF -j REJECT GATEWAYIP=`ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1` if [[ `ip rule list | grep -c 0x666` == 0 ]]; then ip rule add from all fwmark 0x666 lookup $KSUSER fi ip route replace default via $GATEWAYIP table $KSUSER ip route append default via 127.0.0.1 dev lo table $KSUSER ip route flush cache sysctl -qw net.ipv4.conf.all.rp_filter=0 sysctl -qw net.ipv4.conf.default.rp_filter=0 sysctl -qw net.ipv4.conf.$NETIF.rp_filter=0 # Disable IPv6 for everyone sysctl -qw net.ipv6.conf.all.disable_ipv6=1 sysctl -qw net.ipv6.conf.default.disable_ipv6=1 sysctl -qw net.ipv6.conf.lo.disable_ipv6=1 # Block STUN for everyone iptables -A OUTPUT -p udp -m udp -m string --hex-string "|0001|" --algo bm --from 27 --to 28 -m string --hex-string "|2112a442|" --algo bm --from 30 --to 34 -j DROP echo "Kill switch enabled for the $KSUSER user."