-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtecff-block-doh
executable file
·27 lines (24 loc) · 1.44 KB
/
tecff-block-doh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/bash
# block DNS (especially over HTTPS) requests to well-known resolvers
# this forces users to use the resolver supplied in the current network
# which allows for adjustments like filtering out AAAA records in case of problems with the reputation of the IPv6 subnet
# MODE variable is set as an environment variable by ifupdown
DOH_IP4="8.8.8.8 8.8.4.4 172.64.41.4 162.159.61.4 104.16.249.249 104.16.248.249 149.112.112.112 9.9.9.9 9.9.9.11 149.112.112.11 9.9.9.10 149.112.112.10 1.1.1.2 1.0.0.2 1.1.1.3 1.0.0.3"
DOH_IP6="2001:4860:4860::8844 2001:4860:4860::8888 2a06:98c1:52::4 2803:f800:53::4 2606:4700::6810:f9f9 2606:4700::6810:f8f9 2620:fe::fe 2620:fe::9 2620:fe::fe:11 2620:fe::11 2620:fe::10 2620:fe::fe:10 2606:4700:4700::1112 2606:4700:4700::1002 2606:4700:4700::1003 2606:4700:4700::1113"
if [ "$MODE" = "start" ]; then
for ip4 in $DOH_IP4; do
iptables -I FORWARD -d $ip4 -m comment --comment "reject DoH IPv4" -j REJECT --reject-with icmp-admin-prohibited
done
for ip6 in $DOH_IP6; do
ip6tables -I FORWARD -d $ip6 -m comment --comment "reject DoH IPv6" -j REJECT --reject-with icmp6-adm-prohibited
done
elif [ "$MODE" = "stop" ]; then
for ip6 in $DOH_IP6; do
ip6tables -D FORWARD -d $ip6 -m comment --comment "reject DoH IPv6" -j REJECT --reject-with icmp6-adm-prohibited
done
for ip4 in $DOH_IP4; do
iptables -D FORWARD -d $ip4 -m comment --comment "reject DoH IPv4" -j REJECT --reject-with icmp-admin-prohibited
done
else
exit 1
fi