ipdeny.sh

#!/bin/bash
ISO="cn hk"
 
### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
 
### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DL4ROOT="http://www.ipdeny.com/ipblocks/data/aggregated"
DL6ROOT="http://www.ipdeny.com/ipv6/ipaddresses/aggregated"
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
 
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
 
# clean old rules
cleanOldRules
 
# create a new iptables list
$IPT -N $SPAMLIST
 
for c  in $ISO
do
	# local zone file
	tDB4=$ZONEROOT/$c.IPv4.zone
 	tDB6=$ZONEROOT/$c.IPv6.zone
	# get fresh zone file
	$WGET -O $tDB4 $DL4ROOT/$c-aggregated.zone
	$WGET -O $tDB6 $DL6ROOT/$c-aggregated.zone
	# country specific log message
	SPAMDROPMSG="$c Country Drop"
 
	# get 
	BAD4IPS=$(egrep -v "^#|^$" $tDB4)
	for ipblock in $BAD4IPS
	do
#	   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
	   $IPT -A $SPAMLIST -s $ipblock -j DROP
	done
	BAD6IPS=$(egrep -v "^#|^$" $tDB6)
	for ipblock in $BAD6IPS
	do
#	   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
	   $IPT -A $SPAMLIST -s $ipblock -j DROP
	done
done
 
# Drop everything 
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
 
# call your other iptable script
# /path/to/other/iptables.sh
 
exit 0