GeoIP block using ipsets. script was originally derived from a old thread on the dd-wrt forums located here: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=280462&postdays=0&postorder=asc&start=0

GeoIP block using IPSET

#!/bin/sh

set -x

##Verify the network is up before continuing
until ping -c1 www.google.com >/dev/null 2>&1; do :; done

### Block all traffic from listed. Use ISO code ###
ISO="br-aggregated cn-aggregated tw-aggregated ru-aggregated ir-aggregated ph-aggregated sg-aggregated hk-aggregated ua-aggregated ge-aggregated cz-aggregated in-aggregated ke-aggregated za-aggregated id-aggregated kh-aggregated vn-aggregated rs-aggregated tr-aggregated al-aggregated bg-aggregated kr-aggregated ph-aggregated"

#Testing
#ISO="tw-aggregated"

### Set PATH ###
IPT=/usr/sbin/ipset
WGET=/usr/bin/wget
EGREP=/bin/egrep
LOCKFILE=/tmp/ipblocklock.txt

### No editing below ###
inSPAMLIST="countrydrop"
ZONEROOT="/tmp/mnt/sda1/ipblock/zones"
DLROOT="http://www.ipdeny.com/ipblocks/data/aggregated"
iBL="/tmp/mnt/sda1/ipblock/zones/countrydrop"

if [ -e ${LOCKFILE} ] && kill -0 `cat ${LOCKFILE}`; then
    echo "Lock file exist.. exiting"
    exit
fi

# make sure the lockfile is removed when we exit and then claim it
trap "rm -f ${LOCKFILE}; exit" INT TERM EXIT
echo $$ > ${LOCKFILE}

cleanOldRules(){
$IPT destroy $inSPAMLIST
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules
rm -f $iBL

for c in $ISO
do
        # local zone file
        tDB=$ZONEROOT/$c.zone

        # get fresh zone file
        $WGET -T 30 -O $tDB $DLROOT/$c.zone

        awk -v inSPAMLIST=$inSPAMLIST '{print """ "$1""}' $tDB >> $iBL
        
done

#sync to flush buffers
sync

#add to ipset now
$IPT create $inSPAMLIST hash:net

#add the entries in ere
while read line
do
       #add to the ipset
	$IPT add $inSPAMLIST $line

done < $iBL

rm -f ${LOCKFILE}