5 # this chain will drop anything we didn't establish
9 cidr_file
="${set_name}.cidr"
11 # Thank you, http://www.okean.com/antispam/sinokorea.html
12 badcidrs_url
="http://www.okean.com/sinokoreacidr.txt"
16 for c
in INPUT
"${chain}"
18 #only show counts for non-zero entries
19 $IPTABLES -vnx -L "${c}" | awk '$1 !~ 0 { print }'
24 # create or re-init chain
25 if ! $IPTABLES -L "${chain}" >/dev
/null
2>&1
27 echo "initializing '${chain}' chain..."
28 $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
29 $IPTABLES -A "${chain}" -m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
30 $IPTABLES -A "${chain}" -j REJECT
--reject-with icmp
-port-unreachable
31 $IPTABLES -L "${chain}"
34 create_set sinokorea
hash:net counters
35 create_set sinokorea6
hash:net counters family inet6
38 if [ -e "${cidr_file}" ]
40 CURL_OPTS
="-z '${cidr_file}'"
42 (set -o pipefail
; curl
-sfL ${CURL_OPTS} "${badcidrs_url}" | decommentcat
| awk '{print $1}' > "${cidr_file}") || die
1 "failed to fetch list"
44 insert_setmatch_rules sinokorea
-m multiport
-p tcp
--dports ssh,smtp
-j xenophobe
45 reload_cidr_sets sinokorea counters