add sinokorea droplist

[firewall-squeep] / sinokorea.sh

diff --git a/sinokorea.sh b/sinokorea.sh
new file mode 100755 (executable)
index 0000000..b8edefd
--- /dev/null
+++ b/sinokorea.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+. ./common.sh
+
+# this chain will drop anything we didn't establish
+chain='xenophobe'
+
+set_name='sinokorea'
+cidr_file="${set_name}.cidr"
+
+# Thank you, http://www.okean.com/antispam/sinokorea.html
+badcidrs_url="http://www.okean.com/sinokoreacidr.txt"
+
+if [ "$1" = "show" ]
+then
+        for c in INPUT "${chain}"
+        do
+                #only show counts for non-zero entries
+                $IPTABLES -vnx -L "${c}" | awk '$1 !~ 0 { print }'
+        done
+        exit
+fi
+
+# create or re-init chain
+if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
+then
+        echo "initializing '${chain}' chain..."
+        $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+        $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+        $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+       $IPTABLES -L "${chain}"
+fi
+
+create_set sinokorea hash:net
+create_set sinokorea6 hash:net family inet6
+
+CURL_OPTS=''
+if [ -e "${cidr_file}" ]
+then
+        CURL_OPTS="-z '${cidr_file}'"
+fi
+(set -o pipefail; curl -sfL ${CURL_OPTS} "${badcidrs_url}" | decommentcat | awk '{print $1}' > "${cidr_file}") || die 1 "failed to fetch list"
+
+insert_setmatch_rules sinokorea -m multiport -p tcp --dports ssh,smtp -j xenophobe
+reload_cidr_sets sinokorea
+