├── scripts
    ├── stop.sh
    ├── start-blocking.sh
    ├── build.sh
    └── vpn-server.sh
└── README.md


/scripts/stop.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | pfctl -d
3 | 


--------------------------------------------------------------------------------
/scripts/start-blocking.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | pfctl -e
3 | ifconfig pflog0 create
4 | tcpdump -n -e -ttt -i pflog0
5 | trap '{ echo "Stop blocking traffic to aws" ; pfctl -d
6 | ; exit 1; }' INT
7 | 


--------------------------------------------------------------------------------
/scripts/build.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | POSITION=1
 4 | FILTERS=""
 5 | JSON_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
 6 | 
 7 | function extract_ip_ranges() {
 8 |     local json=$1
 9 |     local filters=$2
10 |     local array=$3
11 |     local prefix=$4
12 | 
13 |     local group='group_by(.'$prefix')'
14 |     local map='map({ "ip": .[0].'$prefix', "regions": map(.region) | unique, "services": map(.service) | unique })'
15 | 
16 |     local to_string='.ip + " \"" + (.regions | sort | join (", ")) + "\" \"" + (.services | sort | join (", ")) + "\""'
17 |     local process='[ .'$array"[]$filters ] | $group | $map | .[] | $to_string"
18 | 
19 |     local ranges=$(echo "$json" | jq -r "$process" | sort -Vu)
20 |     echo "$ranges"
21 | }
22 | 
23 | function add_pf_rules() {
24 | 
25 |     local lines
26 |     local data
27 | 
28 |     IFS=$'\n' lines=($2)
29 |     unset IFS
30 | 
31 |     for line in "${lines[@]}"; do
32 |         eval local data=($line)
33 |         local ip=${data[0]}
34 |         pfctl -t aws -T add "$ip"
35 |     done
36 | }
37 | 
38 | if [ ! -t 0 ]; then
39 |     JSON=$(cat - <&0)
40 | else
41 |     JSON=$(curl -s -L $JSON_URL)
42 | fi
43 | 
44 | 
45 | 
46 | 
47 | V4_RANGES=$(extract_ip_ranges "$JSON" "$FILTERS" "prefixes" "ip_prefix")
48 | add_pf_rules ""  "$V4_RANGES"
49 | V6_RANGES=$(extract_ip_ranges "$JSON" "$FILTERS" "ipv6_prefixes" "ipv6_prefix")
50 | add_pf_rules "6"  "$V6_RANGES"
51 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # Fuck off AWS
 3 | Amazon publishes a list of the IP addresses they control here: https://ip-ranges.amazonaws.com/ip-ranges.json . What follows is a way to prevent yourself / the websites you visit from reaching out to AWS machines. Spoiler alert: The internet becomes pretty unusable. For Linux see: https://github.com/corbanworks/aws-blocker
 4 | 
 5 | ### Dependencies 
 6 | This is for OSX - specifically using their builtin packet filter PF.  You will also need a JSON processor called JQ.  I used Homebrew to install it
 7 | 1. `xcode-select --install`
 8 | 1. `ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"`
 9 | 1. `brew install jq`
10 | 
11 | ### Installation
12 | 1. Clone this repository 
13 | 1. `cd fuck-off-aws/scripts`
14 | 1. `chmod +x build.sh start-blocking.sh stop.sh`
15 | 1. create or edit the file: `/etc/pf.conf`, and add this line to the end of it: `block out log from any to <aws>`
16 | 1. `sudo ./build.sh` <- all scripts must be run as a superuser :(.  This script will find the most recent list of Amazon IPs, and set up a filter using PF to block and log all traffic from your machine to those IP addresses.  This will also block any third party content, images, or fonts that are served by AWS.   
17 | 
18 | ### Usage
19 | 1. `sudo ./start-blocking.sh` <- this will enable your packet filter.  It will also log all blocked traffic to an interface, and read those packets using tcpdump.  To log to a file run `sudo start-blocking.sh > log.txt`
20 | 1. `sudo ./stop.sh` <- will disable your packet filter.
21 | #### NOTE/BUG
22 | Even when you stop running the start-blocking.sh you will need to run the `sudo ./stop.sh` command to fully disable the filter. 
23 | Also this was adapted from https://github.com/corbanworks/aws-blocker/blob/master/aws-blocker
24 | ### OpenVPN
25 | 1. `vpn-server.sh` is meant to be run on a VPN server.  This will block all connected clients' requests to aws
26 | 


--------------------------------------------------------------------------------
/scripts/vpn-server.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash -e
  2 | 
  3 | # from https://github.com/corbanworks/aws-blocker/blob/master/aws-blocker
  4 | 
  5 | POSITION=1
  6 | FILTERS=""
  7 | JSON_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
  8 | 
  9 | if [[ -n $1 ]]; then
 10 |     POSITION=$1
 11 |     shift
 12 | fi
 13 | 
 14 | 
 15 | function build_filters() {
 16 |     for arg in ${@:1}; do
 17 |         if [[ -n $filters ]]; then
 18 |             filters=$filters", "
 19 |         fi
 20 | 
 21 |         filters=$filters"select(.region | contains(\"$arg\"))"
 22 |     done
 23 | 
 24 |     if [[ -n $filters ]]; then
 25 |         filters=" | "$filters
 26 |     fi
 27 | 
 28 |     echo $filters
 29 | }
 30 | 
 31 | 
 32 | function extract_ip_ranges() {
 33 |     local json=$1
 34 |     local filters=$2
 35 |     local array=$3
 36 |     local prefix=$4
 37 | 
 38 |     local group='group_by(.'$prefix')'
 39 |     local map='map({ "ip": .[0].'$prefix', "regions": map(.region) | unique, "services": map(.service) | unique })'
 40 | 
 41 |     local to_string='.ip + " \"" + (.regions | sort | join (", ")) + "\" \"" + (.services | sort | join (", ")) + "\""'
 42 |     local process='[ .'$array"[]$filters ] | $group | $map | .[] | $to_string"
 43 | 
 44 |     local ranges=$(echo "$json" | jq -r "$process" | sort -Vu)
 45 |     echo "$ranges"
 46 | }
 47 | 
 48 | 
 49 | function create_and_flush_chain() {
 50 |     local version=$1
 51 |     local position=$2
 52 |     local cmd=ip${version}tables
 53 | 
 54 |     $cmd -n --list AWS >/dev/null 2>&1 \
 55 |         || ($cmd -N AWS && $cmd -I INPUT $position -j AWS)
 56 | 
 57 |     $cmd -F AWS
 58 | }
 59 | 
 60 | 
 61 | 
 62 | function add_iptables_rules() {
 63 |     local version=$1
 64 |     local cmd=ip${version}tables
 65 |     local lines
 66 |     local data
 67 | 
 68 |     IFS=$'\n' lines=($2)
 69 |     unset IFS
 70 | 
 71 |     for line in "${lines[@]}"; do
 72 |         eval local data=($line)
 73 |         local ip=${data[0]}
 74 |         local regions=$(echo ${data[1]} | tr '[:upper:]' '[:lower:]')
 75 |         local services=$(echo ${data[2]} | tr '[:upper:]' '[:lower:]')
 76 |         $cmd -I FORWARD 1 -i tun0 -d "$ip" -j REJECT
 77 |     done
 78 | }
 79 | 
 80 | 
 81 | if [ ! -t 0 ]; then
 82 |     JSON=$(cat - <&0)
 83 | else
 84 |     JSON=$(curl -s -L $JSON_URL)
 85 | fi
 86 | 
 87 | FILTERS=$(build_filters "$*")
 88 | 
 89 | 
 90 | # IPv4
 91 | create_and_flush_chain "" $position
 92 | echo "v4"
 93 | V4_RANGES=$(extract_ip_ranges "$JSON" "$FILTERS" "prefixes" "ip_prefix")
 94 | add_iptables_rules ""  "$V4_RANGES"
 95 | 
 96 | 
 97 | # IPv6
 98 | create_and_flush_chain 6 $position
 99 | V6_RANGES=$(extract_ip_ranges "$JSON" "$FILTERS" "ipv6_prefixes" "ipv6_prefix")
100 | add_iptables_rules "6" "$V6_RANGES"


--------------------------------------------------------------------------------