1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
#!/bin/bash
#
# Variables
#
# Adjust these to match your BuyVM VPS & Backend IP's!
#
BUYVM_UNPROTECTED_IP="BUYVM_UNPROTECTED_IP"
BUYVM_PROTECTED_IP="BUYVM_DDOS_IP"
BACKEND_IP="YOUR_BACKEND_IP"
#
# DO NOT CHANGE ANYTHING PAST THIS POINT
#
GATEWAY_IP=$(ip route show default 0.0.0.0/0 | awk '{print $3}')
INTERFACE=$(ip -br addr show | grep $BACKEND_IP | awk '{print $1}')
# bring up our GRE to our BuyVM VPS
ip tunnel add gre1 mode gre local $BACKEND_IP remote $BUYVM_UNPROTECTED_IP ttl 255
ip link set gre1 up
# make sure our routing table exists
if ! grep -Fxq "100 BUYVM" /etc/iproute2/rt_tables
then
echo "100 BUYVM" >> /etc/iproute2/rt_tables
fi
# add our IP addresses
# NOTE: the 192.168.168.2 IP is only used for transporting packets to/from BuyVM, nothing more
ip addr add 192.168.168.2/30 dev gre1
ip addr add $BUYVM_PROTECTED_IP/32 dev gre1
ip rule add from $BUYVM_PROTECTED_IP lookup BUYVM
ip route add default via 192.168.168.1 table BUYVM
# this is needed since we have multiple IP's on the GRE interface
iptables -o gre1 -t nat -I POSTROUTING -j SNAT --to-source $BUYVM_PROTECTED_IP
# handle our resolvers
# NOTE: this is sloppy and makes Poettering spin in his grave
echo 'nameserver 4.2.2.1' > /etc/resolv.conf
echo 'nameserver 4.2.2.2' >> /etc/resolv.conf
# finally cut over our routing
# NOTE: this will cut all access to your BACKEND IP!
ip route add $BUYVM_UNPROTECTED_IP via $GATEWAY_IP dev $INTERFACE onlink
ip route replace default via 192.168.168.1