dachinat/ufw_allow_countries.sh

## ufw_allow_countries.sh
#!/bin/bash

#title          :ufw_allow_countries.sh
#author         :JSC Novabyte (novabyte.co)
#date           :20/10/2018
#version        :0.0.1
#notes          :Use root privileges
#usage          :$sh ufw_allow_countries.sh
#license        :https://opensource.org/licenses/MIT

# Formatting
ERROR=`tput setaf 1`
SUCCESS=`tput setaf 2`
PRIMARY=`tput setaf 4`
RESET=`tput sgr0`

# Stop if ufw not accessible
if ! command -v ufw > /dev/null 2>&1; then
  echo "${ERROR}Error: ${RESET}ufw is not available"
  exit 1
fi

# Stop if wget not accessible
if ! command -v wget > /dev/null 2>&1; then
  echo "${ERROR}Error: ${RESET}wget is not available"
  exit 1
fi

# UFW executable path
UFW=$(command -v ufw)

# Wget executable path
WGET=$(command -v wget)

# Egrep executable path
EGREP=$(command -v egrep)

# Whitespace separated list of country ISO codes
ALLOW_COUNTRIES="ge"

# Place to store .zone files
ZONE_ROOT="/root/zones/"

# Remote country database url
REMOTE="http://www.ipdeny.com/ipblocks/data/countries"

# Wipe-out all the rules
$UFW --force reset

# Allow outgoing traffic
$UFW default allow outgoing

# Block all incoming connections
$UFW default deny incoming

# Allow SSH connections
$UFW allow ssh
# Or allow SSH connection from your ip(s) only
# $UFW allow from x.x.x.x to any port 22 proto tcp
# Or allow SSH connections from your entire subnet
# $UFW allow from x.x.x.x/y to any port 22 proto tcp

# Create zone directory
[ ! -d $ZONE_ROOT ] && /bin/mkdir -p $ZONE_ROOT

# Loop through allowed countries
for COUNTRY in $ALLOW_COUNTRIES
do
  # Set zone file
  ZONE_FILE=$ZONE_ROOT/$COUNTRY.zone

  # Download zone file
  echo "${PRIMARY}GET: ${RESET}$COUNTRY.zone zone"
  $WGET -O $ZONE_FILE $REMOTE/$COUNTRY.zone >> /dev/null 2>&1

  # Loop through allowed ips
  GOOD_IPS=$(egrep -v "^#|^$" $ZONE_FILE)
  for ip_block in $GOOD_IPS
  do
    # Allow IP address block
    echo "${SUCCESS}ALLOW: ${RESET}$ip_block IP block"
    $UFW allow from $ip_block
  done
done

# Enable UFW with new rules
$UFW --force enable

exit 0
	#!/bin/bash

	#title :ufw_allow_countries.sh
	#author :JSC Novabyte (novabyte.co)
	#date :20/10/2018
	#version :0.0.1
	#notes :Use root privileges
	#usage :$sh ufw_allow_countries.sh
	#license :https://opensource.org/licenses/MIT

	# Formatting
	ERROR=`tput setaf 1`
	SUCCESS=`tput setaf 2`
	PRIMARY=`tput setaf 4`
	RESET=`tput sgr0`

	# Stop if ufw not accessible
	if ! command -v ufw > /dev/null 2>&1; then
	echo "${ERROR}Error: ${RESET}ufw is not available"
	exit 1
	fi

	# Stop if wget not accessible
	if ! command -v wget > /dev/null 2>&1; then
	echo "${ERROR}Error: ${RESET}wget is not available"
	exit 1
	fi

	# UFW executable path
	UFW=$(command -v ufw)

	# Wget executable path
	WGET=$(command -v wget)

	# Egrep executable path
	EGREP=$(command -v egrep)

	# Whitespace separated list of country ISO codes
	ALLOW_COUNTRIES="ge"

	# Place to store .zone files
	ZONE_ROOT="/root/zones/"

	# Remote country database url
	REMOTE="http://www.ipdeny.com/ipblocks/data/countries"

	# Wipe-out all the rules
	$UFW --force reset

	# Allow outgoing traffic
	$UFW default allow outgoing

	# Block all incoming connections
	$UFW default deny incoming

	# Allow SSH connections
	$UFW allow ssh
	# Or allow SSH connection from your ip(s) only
	# $UFW allow from x.x.x.x to any port 22 proto tcp
	# Or allow SSH connections from your entire subnet
	# $UFW allow from x.x.x.x/y to any port 22 proto tcp

	# Create zone directory
	[ ! -d $ZONE_ROOT ] && /bin/mkdir -p $ZONE_ROOT

	# Loop through allowed countries
	for COUNTRY in $ALLOW_COUNTRIES
	do
	# Set zone file
	ZONE_FILE=$ZONE_ROOT/$COUNTRY.zone

	# Download zone file
	echo "${PRIMARY}GET: ${RESET}$COUNTRY.zone zone"
	$WGET -O $ZONE_FILE $REMOTE/$COUNTRY.zone >> /dev/null 2>&1

	# Loop through allowed ips
	GOOD_IPS=$(egrep -v "^#\|^$" $ZONE_FILE)
	for ip_block in $GOOD_IPS
	do
	# Allow IP address block
	echo "${SUCCESS}ALLOW: ${RESET}$ip_block IP block"
	$UFW allow from $ip_block
	done
	done

	# Enable UFW with new rules
	$UFW --force enable

	exit 0