Created
August 2, 2019 20:25
-
-
Save SpareSimian/c8475f140664e415fdc37b1073b563a1 to your computer and use it in GitHub Desktop.
Non-US ipset from whois database via ipdeny website
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # See http://www.ipdeny.com/ipblocks/ | |
| # allow function-like print when using Python 2 | |
| from __future__ import print_function | |
| import argparse | |
| import requests | |
| import io | |
| import tarfile | |
| import re | |
| desc = """ | |
| Download the current ipdeny list of netblocks assigned to countries | |
| and dump it into a file, excluding the netblocks for the US. The | |
| result can be imported into firewalld ipsets using | |
| --add-entries-from-file. | |
| """ | |
| parser = argparse.ArgumentParser(description=desc) | |
| parser.add_argument('--ipv6', '-6', help='fetch and convert ipv6 netblocks, instead', action='store_true') | |
| args = parser.parse_args() | |
| if args.ipv6: | |
| uri = 'http://www.ipdeny.com/ipv6/ipaddresses/blocks/ipv6-all-zones.tar.gz' | |
| else: | |
| uri = 'http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz' | |
| # fetch the tarball | |
| r = requests.get(uri) | |
| # convert the tarball into a file-like object | |
| f = io.BytesIO(r.content) | |
| # load it into a TarFile | |
| tar = tarfile.open(fileobj=f) | |
| # dump selected archive members to stdout | |
| for member in tar.getmembers(): | |
| # get member content | |
| # grab the country code | |
| m = re.search('([a-z][a-z])?.zone', member.name) | |
| # only consider zone files | |
| if not m: | |
| continue | |
| cc = m.group(1) | |
| # skip the US one | |
| if 'us' == cc: | |
| continue | |
| print('#', cc) | |
| fileobj = tar.extractfile(member) | |
| netblocks = fileobj.read() | |
| print(netblocks) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # fail on undeclared variables | |
| set -o nounset | |
| # fail on command exit | |
| set -o errexit | |
| # echo commands before execution | |
| #set -o xtrace | |
| # create a temp directory to hold downloaded content | |
| readonly mydir=$(mktemp -d "${TMPDIR:-/tmp/}$(basename $0).XXXXXXXXXXXX") | |
| function clean_up { | |
| [[ -f ${mydir}/NonUS.zone ]] && /bin/rm ${mydir}/NonUS.zone | |
| [[ -d ${mydir} ]] && /bin/rmdir ${mydir} | |
| exit | |
| } | |
| trap clean_up 0 1 2 3 15 | |
| #echo ${mydir} | |
| #ls ${mydir} | |
| /usr/local/bin/ipdeny-to-NonUS.py > ${mydir}/NonUS.zone | |
| # count the (large, about 140k) number of entries so we can specify the | |
| # size of the ipset hash. | |
| readonly WC=$(cat ${mydir}/NonUS.zone | wc -l) | |
| # remove any existing ipset XML file. The in-kernel set will remain so | |
| # firewall rules will continue working. | |
| if /usr/bin/firewall-cmd --permanent --get-ipsets | grep -q '\WNonUS\W'; then | |
| /usr/bin/firewall-cmd --permanent --delete-ipset=NonUS | |
| fi | |
| # create and populate new XML file | |
| /usr/bin/firewall-cmd --permanent --new-ipset=NonUS --type=hash:net --family=inet --option=maxelem=${WC} | |
| /usr/bin/firewall-cmd --permanent --ipset=NonUS --add-entries-from-file=${mydir}/NonUS.zone | |
| clean_up |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment