Table of Contents

, , ,

Geoblock country bash script

Install prerequisites

apt install ipset aggregate shorewall

Setup shorewall

Simple interface tutorial https://shorewall.org/standalone.htm

Install and start ipset script

ipset-geoblock-country.sh
#!/bin/bash
# debug
# set -x
exec 1> >(logger -s -t $(basename $0)) 2>&1
logger "Start: $0"
/sbin/ipset create geoblock hash:net -exist
/sbin/ipset flush geoblock
for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/aggregated/fr-aggregated.zone)
# alternatives
#for IP in $(/usr/bin/wget -q -O - https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest | awk -F'|' 'BEGIN{OFS=""} ( $2 == "FR" ) && $3 == "ipv4" {print $4,"/",32-(log($5)  /log(2))}')
#for IP in $(/usr/bin/wget -q -O - https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest | grep "ripencc|FR|ipv4" | awk -F '|' '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }')
do
  /sbin/ipset -A geoblock $IP -exist
done
logger "End: $0"
chmod u+x /usr/local/sbin/ipset-geoblock-country.sh
/usr/local/sbin/ipset-geoblock-country.sh

Verify loaded ipset

ipset list geoblock

Configure shorewall blacklist

touch /etc/shorewall/blrules
/etc/shorewall/blrules
cat <<EOF >
#ACTION      SOURCE           DEST     PROTO    DPORT
DROP         net:+geoblock    all
EOF

Restart shorewall

shorewall check
shorewall restart

Make persistent via interfaces (before shorewall starts)

pre-up /sbin/ipset create geoblock hash:net -exist

Load ipset after shorewall has started

touch /etc/shorewall/started
cat <<EOF >/etc/shorewall/started
#!/bin/bash

/usr/local/sbin/ipset-geoblock-country.sh &
EOF

Refresh ipset weekly on mondays

crontab -e
30 6 * * 1 /usr/local/sbin/ipset-geoblock-country.sh

Reboot and check.

Tested on

See also

References