liruqi/ipset-gen.py

## ipset-gen.py
# copied from: http://code.google.com/p/chnroutes/source/browse/trunk/chnroutes.py

import re
import urllib2
import sys
import argparse
import math
import json

def fetch_ip_data():
    #fetch data from apnic
    print "Fetching data from apnic.net, it might take a few minutes, please wait..."
    url=r'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
    data=urllib2.urlopen(url).read()

    cnregex=re.compile(r'apnic\|cn\|ipv4\|[0-9\.]+\|[0-9]+\|[0-9]+\|a.*',re.IGNORECASE)
    cndata=cnregex.findall(data)

    results=[]

    for item in cndata:
        unit_items=item.split('|')
        starting_ip=unit_items[3]
        num_ip=int(unit_items[4])

        imask=0xffffffff^(num_ip-1)
        #convert to string
        imask=hex(imask)[2:]
        mask=[0]*4
        mask[0]=imask[0:2]
        mask[1]=imask[2:4]
        mask[2]=imask[4:6]
        mask[3]=imask[6:8]

        #convert str to int
        mask=[ int(i,16 ) for i in mask]
        mask="%d.%d.%d.%d"%tuple(mask)

        #mask in *nix format
        mask2=32-int(math.log(num_ip,2))
        if (mask2 <= 16):
            results.append((starting_ip + "/%d")%mask2)

    return results

if __name__=='__main__':
    r = fetch_ip_data()
    s = "\n".join(r)
    print s

    open("iptables.conf", "w").write(s)


## ipset-gen.sh
python ipset-gen.py

echo '-N CHINA nethash --hashsize 20000 --probes 2' > CHINA.ip
cat iptables.conf |  awk '{print "-A CHINA " $1}' >> CHINA.ip
echo 'COMMIT' >> CHINA.ip

ipset -R < CHINA.ip

iptables -A OUTPUT -p tcp --dport 80 -m set --match-set CHINA dst -j REJECT
	# copied from: http://code.google.com/p/chnroutes/source/browse/trunk/chnroutes.py

	import re
	import urllib2
	import sys
	import argparse
	import math
	import json

	def fetch_ip_data():
	#fetch data from apnic
	print "Fetching data from apnic.net, it might take a few minutes, please wait..."
	url=r'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
	data=urllib2.urlopen(url).read()

	cnregex=re.compile(r'apnic\\|cn\\|ipv4\\|[0-9\.]+\\|[0-9]+\\|[0-9]+\\|a.*',re.IGNORECASE)
	cndata=cnregex.findall(data)

	results=[]

	for item in cndata:
	unit_items=item.split('\|')
	starting_ip=unit_items[3]
	num_ip=int(unit_items[4])

	imask=0xffffffff^(num_ip-1)
	#convert to string
	imask=hex(imask)[2:]
	mask=[0]*4
	mask[0]=imask[0:2]
	mask[1]=imask[2:4]
	mask[2]=imask[4:6]
	mask[3]=imask[6:8]

	#convert str to int
	mask=[ int(i,16 ) for i in mask]
	mask="%d.%d.%d.%d"%tuple(mask)

	#mask in *nix format
	mask2=32-int(math.log(num_ip,2))
	if (mask2 <= 16):
	results.append((starting_ip + "/%d")%mask2)

	return results

	if __name__=='__main__':
	r = fetch_ip_data()
	s = "\n".join(r)
	print s

	open("iptables.conf", "w").write(s)
	python ipset-gen.py

	echo '-N CHINA nethash --hashsize 20000 --probes 2' > CHINA.ip
	cat iptables.conf \| awk '{print "-A CHINA " $1}' >> CHINA.ip
	echo 'COMMIT' >> CHINA.ip

	ipset -R < CHINA.ip

	iptables -A OUTPUT -p tcp --dport 80 -m set --match-set CHINA dst -j REJECT