#!/bin/bash
DNSIP=10.31.33.8
if [ `id -u` != "0" ]; then
 echo "Error: Run this script as root"
 exit
fi
if [ `uname -s` != "Linux" ]; then
 echo "Error: This script is for Linux"
 exit
fi
IPT=`command -v iptables`
if [ -z "$IPT" ]; then
 echo "Error: Can't find iptables"
 exit
fi
if $IPT -t nat -S|grep $DNSIP >/dev/null;then
 $IPT -F
 $IPT -F -t nat
 $IPT -P OUTPUT ACCEPT
 $IPT -P INPUT ACCEPT
 sysctl -qw net.ipv6.conf.all.disable_ipv6=0
 sysctl -qw net.ipv6.conf.default.disable_ipv6=0
 sysctl -qw net.ipv6.conf.lo.disable_ipv6=0
 echo "Killswitch disabled"
 exit
fi
VPNIP=`route -n|grep UGH|awk '{print $1}'`
if [ -z "$VPNIP" ]; then
 echo "Error: OpenVPN doesn't seem to be running."
 exit
fi
$IPT -F
$IPT -F -t nat
$IPT -A INPUT -j ACCEPT -i lo
$IPT -A OUTPUT -j ACCEPT -o lo
$IPT -A INPUT -j ACCEPT -i tun+
$IPT -A OUTPUT -j ACCEPT -o tun+
for LAN in `ip -o -f inet addr show | awk '/scope global/ {print $4}'|grep -E "^192\.168\.|^10\."`; do
 $IPT -A INPUT -s $LAN -j ACCEPT
 $IPT -A OUTPUT -d $LAN -j ACCEPT
done
$IPT -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $DNSIP
$IPT -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination $DNSIP
$IPT -A OUTPUT -p udp -m udp -m string --hex-string "|0001|" --algo bm --from 27 --to 28 -m string --hex-string "|2112a442|" --algo bm --from 30 --to 34 -j DROP
$IPT -A OUTPUT -j ACCEPT -d $VPNIP,$DNSIP
$IPT -A INPUT -j ACCEPT -s $VPNIP,$DNSIP
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
sysctl -qw net.ipv6.conf.all.disable_ipv6=1
sysctl -qw net.ipv6.conf.default.disable_ipv6=1
sysctl -qw net.ipv6.conf.lo.disable_ipv6=1
echo "Killswitch enabled"