add sinokorea droplist
authorJustin Wind <justin.wind+git@gmail.com>
Fri, 27 Jan 2017 23:27:05 +0000 (15:27 -0800)
committerJustin Wind <justin.wind+git@gmail.com>
Fri, 27 Jan 2017 23:27:05 +0000 (15:27 -0800)
firewall.sh
sinokorea.sh [new file with mode: 0755]

index dbc0c3f47328828a09938e1083c0ff1fdfcaa41e..f880eafad6986950ea39bb344663ab4d74fbd70a 100755 (executable)
@@ -91,6 +91,9 @@ $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j A
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
 
+# insert asia blocker
+./sinokorea.sh
+
 # insert persistent-pest-blocker
 ./xenophobe.sh
 
diff --git a/sinokorea.sh b/sinokorea.sh
new file mode 100755 (executable)
index 0000000..b8edefd
--- /dev/null
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+. ./common.sh
+
+# this chain will drop anything we didn't establish
+chain='xenophobe'
+
+set_name='sinokorea'
+cidr_file="${set_name}.cidr"
+
+# Thank you, http://www.okean.com/antispam/sinokorea.html
+badcidrs_url="http://www.okean.com/sinokoreacidr.txt"
+
+if [ "$1" = "show" ]
+then
+        for c in INPUT "${chain}"
+        do
+                #only show counts for non-zero entries
+                $IPTABLES -vnx -L "${c}" | awk '$1 !~ 0 { print }'
+        done
+        exit
+fi
+
+# create or re-init chain
+if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
+then
+        echo "initializing '${chain}' chain..."
+        $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+        $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+        $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+       $IPTABLES -L "${chain}"
+fi
+
+create_set sinokorea hash:net
+create_set sinokorea6 hash:net family inet6
+
+CURL_OPTS=''
+if [ -e "${cidr_file}" ]
+then
+        CURL_OPTS="-z '${cidr_file}'"
+fi
+(set -o pipefail; curl -sfL ${CURL_OPTS} "${badcidrs_url}" | decommentcat | awk '{print $1}' > "${cidr_file}") || die 1 "failed to fetch list"
+
+insert_setmatch_rules sinokorea -m multiport -p tcp --dports ssh,smtp -j xenophobe
+reload_cidr_sets sinokorea
+