{{tag>bash scripts networking firewall}}
====== Geoblock country bash script ======
===== Install prerequisites =====
apt install ipset aggregate shorewall
===== Setup shorewall =====
Simple interface tutorial https://shorewall.org/standalone.htm
===== Install and start ipset script =====
#!/bin/bash
# debug
# set -x
exec 1> >(logger -s -t $(basename $0)) 2>&1
logger "Start: $0"
/sbin/ipset create geoblock hash:net -exist
/sbin/ipset flush geoblock
for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/aggregated/fr-aggregated.zone)
# alternatives
#for IP in $(/usr/bin/wget -q -O - https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest | awk -F'|' 'BEGIN{OFS=""} ( $2 == "FR" ) && $3 == "ipv4" {print $4,"/",32-(log($5) /log(2))}')
#for IP in $(/usr/bin/wget -q -O - https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest | grep "ripencc|FR|ipv4" | awk -F '|' '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }')
do
/sbin/ipset -A geoblock $IP -exist
done
logger "End: $0"
chmod u+x /usr/local/sbin/ipset-geoblock-country.sh
/usr/local/sbin/ipset-geoblock-country.sh
===== Verify loaded ipset =====
ipset list geoblock
===== Configure shorewall blacklist =====
touch /etc/shorewall/blrules
/etc/shorewall/blrules
cat <
#ACTION SOURCE DEST PROTO DPORT
DROP net:+geoblock all
EOF
===== Restart shorewall =====
shorewall check
shorewall restart
===== Make persistent via interfaces (before shorewall starts) =====
pre-up /sbin/ipset create geoblock hash:net -exist
===== Load ipset after shorewall has started =====
touch /etc/shorewall/started
cat </etc/shorewall/started
#!/bin/bash
/usr/local/sbin/ipset-geoblock-country.sh &
EOF
===== Refresh ipset weekly on mondays =====
crontab -e
30 6 * * 1 /usr/local/sbin/ipset-geoblock-country.sh
Reboot and check.
====== Tested on ======
* Debian 9 Stretch
====== See also ======
====== References ======