block-countries

#!/bin/bash

bin="$(readlink -f "$(dirname "$0")")"

. "$bin"/block-countries.conf

function DIE () {
	rm -f zones.$$ drop.lasso.zone
	}
trap DIE EXIT

chain=blockcountries
rulecheck="`iptables -vnL`"


# Check that a set exists in bash:
ipset -L blockcountries  >/dev/null 2>&1
if [ $? -ne 0 ]; then
		ipset create blockcountries hash:net 
fi


 # if [[ '*match-set blockcountries*' == rulecheck ]]; then 
 #   echo " blockcountries rule found"
 # else
 #   echo " blockcountries rule not found"
	# iptables -A INPUT -p tcp -m set --match-set blockcountries src -m multiport --dport 22,80,443 -j REJECT

 # fi

zn=0
sed 's/ *;.*//' < www.spamhaus.org/drop/drop.lasso | grep -v '^$' > drop.lasso.zone
for z in drop.lasso.zone zones/*.zone ; do
	if [ "$z" = drop.lasso.zone ]
	then
		cc=00
	else
		cc="${z##*/}"
		cc="${cc%.zone}"
	fi
	echo -n $cc 1>&2
	if blockP $cc
	then
		cat $z
		zz=$(wc -l < $z)
		zn=$(( zn + zz ))
		echo -n "($zz)" 1>&2
	fi
	echo -n ' ' 1>&2
	echo $zn > zn.$$
done | $bin/compact_cidr.pl > zones.$$
echo 1>&2

zn=$( cat zn.$$ )
rm -f zn.$$
znn=$( wc -l < zones.$$ )
echo optimizing reduced $zn to $znn: $(( 100 - ( $znn * 100 / $zn ) ))% savings	1>&2

(
echo '*raw'
for ip in $(cat zones.$$ )
do
	ipset -exist add blockcountries $ip
	echo -A $chain -s $ip -j REJECT
	# echo -A $chain -j DROP -s $ip -p tcp --dport 22
done
echo COMMIT
) #| iptables-restore -n


#if [ $(iptables -t raw -nL PREROUTING | grep -c $chain ) -lt 3 ]
#then
#	for port in $PORTS
#	do
		#iptables -t raw -A PREROUTING -p tcp --dport $port -j $chain
#	done
#fi