#!/bin/sh
# iptables-custom-insert.sh - example custom iptables insertion script

# Every file in the IPTABLES_CUSTOM_DIR directory (/etc/pgl), that ends
# in ...insert.sh will be executed on every "pglcmd start" for 2 settings:

# Default setup (IPTABLES_SETTINGS="1"):
# pglcmd will first insert its iptables setup and afterwards this script
# gets executed.

# IPTABLES_SETTINGS="2" is set in pglcmd.conf
# (/etc/pgl/pglcmd.conf):
# Only this script will be executed.

# The IP block daemon checks traffic that is sent to the iptables target NFQUEUE
# (default queue number is 92).

# Examples for IPTABLES_SETTINGS="1". This is advanced stuff, have a look at
# `man iptables` to understand it. You need both kernel support and a
# complimentary user-space module for these things to work. With other words,
# both netfilter (iptables) and the kernel must support what you want - so it
# depends on your distribution if this will be the case.

# Whitelist outgoing TCP traffic to port 80 for the application firefox-bin:
# My system doesn't support this, feedback welcome ;-)
iptables -I pgl_out -p tcp --dport 80 -m owner --pid-owner [processid] -j RETURN
iptables -I pgl_out -p tcp --dport 80 -m owner --cmd-owner firefox-bin -j RETURN

# Whitelist outgoing TCP traffic on port 80 if it does not belong to user
# [username]. This may be used e.g. if there are normal desktop users (who are
# allowed to surf the web without being controlled), while the
# applications whose complete traffic shall be checked are run by the separate
# user [username].
iptables -I pgl_out -p tcp --dport 80 -m owner ! --uid-owner [username] -j RETURN

# Whitelist outgoing TCP traffic on port 80 if it does belong to user
# [username]. This may be used e.g. if there is a normal desktop user [username]
# (who is allowed to surf the web without being controlled), while
# the applications whose complete traffic shall be checked are run by separate
# users.
iptables -I pgl_out -p tcp --dport 80 -m owner --uid-owner [username] -j RETURN

# Whitelist outgoing TCP traffic on port [port] to the destination iprange [x.x.x.x-y.y.y.y].
# Be careful with the syntax: there must be no spaces in the iprange!
#
# Example: Your mail reader fails to get mails because pgl blocked it.
# "tail -f /var/log/syslog.log" shows that the blocked IPs are 72.14.192.73
# and 72.14.192.75. To find out the destination port, set
# LOG_IPTABLES="LOG --log-level info" in /etc/pgl/pglcmd.conf and
# do a "pglcmd restart". "sudo tail -f /var/log/syslog" shows that the
# blocked packets had the destination port 993. "whois 72.14.192.73" shows that
# the range 72.14.192.0 - 72.14.255.255 is assigned to the same entity. You feel
# safe to accept all outgoing TCP traffic on port 993 to this range so you do:
iptables -I pgl_out -p tcp --dport 993 -m iprange --dst-range 72.14.192.0-72.14.255.255 -j RETURN

# You may also insert rules for IPv6. Please note that neither the block
# daemons, nore any known blocklist supports IPv6 currently.
# Remember to remove these rules after usage in iptables-custom-remove.sh
# Block IPv6 completely:
ip6tables -I OUTPUT -j REJECT
ip6tables -I INPUT -j DROP
ip6tables -I FORWARD -j DROP