Skip to content

Instantly share code, notes, and snippets.

@juliangruber
Created March 2, 2023 15:58
Show Gist options
  • Save juliangruber/a52aed3a2eb7c1b03396765a902eb494 to your computer and use it in GitHub Desktop.
Save juliangruber/a52aed3a2eb7c1b03396765a902eb494 to your computer and use it in GitHub Desktop.
l1-firewall
#!/usr/bin/env bash
ipv4ranges=(
10.0.0.0/8
100.64.0.0/10
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
240.0.0.0/4
)
ipv6ranges=(
100::/64
2001:2::/48
2001:db8::/32
fc00::/7
fe80::/10
)
for range in "${ipv4ranges[@]}"
do
:
echo "blocking ipv4 range $range"
# Use REJECT so packets you send to this range will generate an ICMP response
# packet, this will buble up filtering results to lassie (since lassie is the
# sender the response packet don't leave your machine), if you use DROP here,
# every attempt to dial private addresses in lassie will have to timeout
# instead of erroring quickly.
iptables -A OUTPUT -d "$range" -j REJECT
# use DROP to avoid sending outbound ICMP response packets
iptables -A INPUT -s "$range" -j DROP
done
for range in "${ipv6ranges[@]}"
do
:
echo "blocking ipv6 range $range"
# Use REJECT so packets you send to this range will generate an ICMP response
# packet, this will buble up filtering results to lassie (since lassie is the
# sender the response packet don't leave your machine), if you use DROP here,
# every attempt to dial private addresses in lassie will have to timeout
# instead of erroring quickly.
ip6tables -A OUTPUT -d "$range" -j REJECT
# use DROP to avoid sending outbound ICMP response packets
ip6tables -A INPUT -s "$range" -j DROP
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment