#!/bin/bash
if [ `uname -s` != "Linux" ]; then
 echo "Error: This script is for Linux"
 exit
fi
IPT=`command -v iptables`
if [ -z "$IPT" ]; then
 echo "Error: Can't find iptables"
 exit
fi
if [[ "$script_type" == "down" ]] || [[ "$1" == "off" ]]; then
 $IPT -F
 $IPT -F -t nat
 $IPT -P OUTPUT ACCEPT
 $IPT -P INPUT ACCEPT
 sysctl -qw net.ipv6.conf.all.disable_ipv6=0
 sysctl -qw net.ipv6.conf.default.disable_ipv6=0
 sysctl -qw net.ipv6.conf.lo.disable_ipv6=0
 echo "Killswitch disabled"
 exit
fi
if [[ "$script_type" == "up" ]]; then
 DNSIP=`echo $foreign_option_1|awk '{print $NF}'`
 VPNIP=$trusted_ip
 $IPT -F
 $IPT -F -t nat
 $IPT -A INPUT -j ACCEPT -i lo
 $IPT -A OUTPUT -j ACCEPT -o lo
 $IPT -A INPUT -j ACCEPT -i tun+
 $IPT -A OUTPUT -j ACCEPT -o tun+
 $IPT -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $DNSIP
 $IPT -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination $DNSIP
 $IPT -A OUTPUT -p udp -m udp -m string --hex-string "|0001|" --algo bm --from 27 --to 28 -m string --hex-string "|2112a442|" --algo bm --from 30 --to 34 -j DROP
 $IPT -A OUTPUT -j ACCEPT -d $VPNIP,$DNSIP
 $IPT -A INPUT -j ACCEPT -s $VPNIP,$DNSIP
 $IPT -P OUTPUT DROP
 $IPT -P INPUT DROP
 sysctl -qw net.ipv6.conf.all.disable_ipv6=1
 sysctl -qw net.ipv6.conf.default.disable_ipv6=1
 sysctl -qw net.ipv6.conf.lo.disable_ipv6=1
 echo "Killswitch enabled"
fi
if [[ "$script_type" == "" ]]; then
 echo "Error: This script shouldn't be executed directly unless you're turning off the killswitch."
 echo ""
 echo "You should start this script using a command like:"
 echo "openvpn --config whatever.ovpn --up $0 --script-security 2"
 echo "or by putting in your OpenVPN config file:"
 echo "up $0"
 echo "script-security 2"
 echo ""
 echo "To turn off the killswitch, run:"
 echo "$0 off"
fi