$IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
$IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
+# insert asia blocker
+./sinokorea.sh
+
# insert persistent-pest-blocker
./xenophobe.sh
--- /dev/null
+#!/bin/sh
+
+. ./common.sh
+
+# this chain will drop anything we didn't establish
+chain='xenophobe'
+
+set_name='sinokorea'
+cidr_file="${set_name}.cidr"
+
+# Thank you, http://www.okean.com/antispam/sinokorea.html
+badcidrs_url="http://www.okean.com/sinokoreacidr.txt"
+
+if [ "$1" = "show" ]
+then
+ for c in INPUT "${chain}"
+ do
+ #only show counts for non-zero entries
+ $IPTABLES -vnx -L "${c}" | awk '$1 !~ 0 { print }'
+ done
+ exit
+fi
+
+# create or re-init chain
+if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
+then
+ echo "initializing '${chain}' chain..."
+ $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+ $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+ $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+ $IPTABLES -L "${chain}"
+fi
+
+create_set sinokorea hash:net
+create_set sinokorea6 hash:net family inet6
+
+CURL_OPTS=''
+if [ -e "${cidr_file}" ]
+then
+ CURL_OPTS="-z '${cidr_file}'"
+fi
+(set -o pipefail; curl -sfL ${CURL_OPTS} "${badcidrs_url}" | decommentcat | awk '{print $1}' > "${cidr_file}") || die 1 "failed to fetch list"
+
+insert_setmatch_rules sinokorea -m multiport -p tcp --dports ssh,smtp -j xenophobe
+reload_cidr_sets sinokorea
+