User Tools

Site Tools


Geoblock country bash script

Install prerequisites

apt install ipset aggregate shorewall

Setup shorewall

Simple interface tutorial

Install and start ipset script
# debug
# set -x
exec 1> >(logger -s -t $(basename $0)) 2>&1
logger "Start: $0"
/sbin/ipset create geoblock hash:net -exist
/sbin/ipset flush geoblock
for IP in $(/usr/bin/wget -O -
# alternatives
#for IP in $(/usr/bin/wget -q -O - | awk -F'|' 'BEGIN{OFS=""} ( $2 == "FR" ) && $3 == "ipv4" {print $4,"/",32-(log($5)  /log(2))}')
#for IP in $(/usr/bin/wget -q -O - | grep "ripencc|FR|ipv4" | awk -F '|' '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }')
  /sbin/ipset -A geoblock $IP -exist
logger "End: $0"
chmod u+x /usr/local/sbin/

Verify loaded ipset

ipset list geoblock

Configure shorewall blacklist

touch /etc/shorewall/blrules
cat <<EOF >
#ACTION      SOURCE           DEST     PROTO    DPORT
DROP         net:+geoblock    all

Restart shorewall

shorewall check
shorewall restart

Make persistent via interfaces (before shorewall starts)

pre-up /sbin/ipset create geoblock hash:net -exist

Load ipset after shorewall has started

touch /etc/shorewall/started
cat <<EOF >/etc/shorewall/started

/usr/local/sbin/ &

Refresh ipset weekly on mondays

crontab -e
30 6 * * 1 /usr/local/sbin/

Reboot and check.

Tested on

  • Debian 9 Stretch

See also


wiki/geoblock_country_bash_script.txt · Last modified: 2021/07/15 15:35 by antisa

Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki