colorcrossing-google.fish

#!/usr/bin/fish

switch (id -u)
    case 0
        dnf install -y xmlstarlet
    case "*"
        sudo dnf install -y xmlstarlet
end

set goog_json (curl -sL https://www.gstatic.com/ipranges/goog.json | string collect)
set google_ipv4 (echo $goog_json | jq --raw-output '.prefixes[] | [.ipv4Prefix][] | select(. != null)')
set google_ipv6 (echo $goog_json | jq --raw-output '.prefixes[] | [.ipv6Prefix][] | select(. != null)')

set policy_1 /etc/firewalld/policies/reject-google-ipv4.xml
echo -e '<?xml version="1.0" encoding="utf-8"?>\n<policy/>' >$policy_1
xmlstarlet ed -L \
    -s /policy -t attr -n target -v CONTINUE \
    -s /policy -t attr -n priority -v -10 \
    -s /policy -t elem -n ingress-zone \
    -s /policy -t elem -n egress-zone \
    -s /policy -t elem -n short -v "Reject google IPv4" \
    -s /policy -t elem -n description -v "Reject google IPv4." \
    -s /policy/ingress-zone -t attr -n name -v HOST \
    -s /policy/egress-zone -t attr -n name -v ANY \
    $policy_1

for cidr in $google_ipv4
    if [ (string match "8.8.*.*/*" $cidr) ]
        continue
    end
    xmlstarlet ed -L \
        -s /policy -t elem -n rule \
        -s "/policy/rule[last()]" -t attr -n family -v ipv4 \
        -s "/policy/rule[last()]" -t elem -n destination \
        -s "/policy/rule[last()]" -t elem -n reject \
        -s "/policy/rule[last()]/destination" -t attr -n address -v $cidr \
        $policy_1
end

set policy_2 /etc/firewalld/policies/accept-google-ipv6.xml
echo -e '<?xml version="1.0" encoding="utf-8"?>\n<policy/>' >$policy_2
xmlstarlet ed -L \
    -s /policy -t attr -n target -v REJECT \
    -s /policy -t attr -n priority -v -1 \
    -s /policy -t elem -n ingress-zone \
    -s /policy -t elem -n egress-zone \
    -s /policy -t elem -n short -v "Accept google IPv6" \
    -s /policy -t elem -n description -v "Reject IPv6 except google IPs, Accept all IPv4." \
    -s /policy/ingress-zone -t attr -n name -v HOST \
    -s /policy/egress-zone -t attr -n name -v ANY \
    -s /policy -t elem -n rule \
    -s "/policy/rule[last()]" -t attr -n family -v ipv4 \
    -s "/policy/rule[last()]" -t elem -n destination \
    -s "/policy/rule[last()]" -t elem -n accept \
    -s "/policy/rule[last()]/destination" -t attr -n address -v "0.0.0.0/0" \
    $policy_2

for cidr in $google_ipv6
    xmlstarlet ed -L \
        -s /policy -t elem -n rule \
        -s "/policy/rule[last()]" -t attr -n family -v ipv6 \
        -s "/policy/rule[last()]" -t elem -n destination \
        -s "/policy/rule[last()]" -t elem -n accept \
        -s "/policy/rule[last()]/destination" -t attr -n address -v $cidr \
        $policy_2
end

firewall-cmd --reload

curl -6 --silent --output /dev/null "https://www.google.com"
if test ! $status -eq 0
    exit 1
end

curl -4 --silent --output /dev/null "https://www.yandex.com"
if test ! $status -eq 0
    exit 1
end

curl -4 --silent --output /dev/null "https://www.google.com"
if test $status -eq 0
    exit 1
end

curl -6 --silent --output /dev/null "https://www.yandex.com"
if test $status -eq 0
    exit 1
end

he-ipv6.service

[Unit]
Description=config ipv6
After=network.target network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/he-ipv6.sh

[Install]
WantedBy=multi-user.target

he-ipv6.sh

#!/bin/sh

# copy your he-ipv6 commands here:

revert:

rm /etc/firewalld/policies/reject-google-ipv4.xml
rm /etc/firewalld/policies/accept-google-ipv6.xml
firewall-cmd --reload