Last active
May 25, 2021 10:13
-
-
Save toripiyo/be1728d540ec3be8cc0344bbb885ba17 to your computer and use it in GitHub Desktop.
block ip address by country unit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
# set conf file path | |
IPTABLES_CONF='/etc/iptables/rules.v4' | |
# temporary iptables config file | |
IPTABLES_CONFIG_TMP=`mktemp` | |
# default rule | |
echo "*filter" >> $IPTABLES_CONFIG_TMP | |
echo ":INPUT DROP [0:0]" >> $IPTABLES_CONFIG_TMP # Drop input as default | |
echo ":OUTPUT ACCEPT [0:0]" >> $IPTABLES_CONFIG_TMP # Allow all output | |
echo ":ACCEPT_COUNTRY - [0:0]" >> $IPTABLES_CONFIG_TMP # Allow specified country access | |
echo ":DROP_COUNTRY - [0:0]" >> $IPTABLES_CONFIG_TMP # Drop specified country access | |
echo ":LOGGING - [0:0]" >> $IPTABLES_CONFIG_TMP | |
# ACCEPT_COUNTRY_MAKE : allow access from specified country's ip addresses | |
ACCEPT_COUNTRY_MAKE(){ | |
for addr in `cat /tmp/cidr.txt|grep ^$1|awk '{print $2}'` | |
do | |
echo "-A ACCEPT_COUNTRY -s $addr -j ACCEPT" >> $IPTABLES_CONFIG_TMP | |
done | |
grep ^$1 $IP_LIST >> $CHK_IP_LIST | |
} | |
# DROP_COUNTRY_MAKE : drop access from specified country's ip addresses | |
DROP_COUNTRY_MAKE(){ | |
for addr in `cat /tmp/cidr.txt|grep ^$1|awk '{print $2}'` | |
do | |
echo "-A DROP_COUNTRY -s $addr -m limit --limit 1/s -j LOG --log-prefix \"DROP:\"" >> $IPTABLES_CONFIG_TMP | |
echo "-A DROP_COUNTRY -s $addr -j DROP" >> $IPTABLES_CONFIG_TMP | |
done | |
grep ^$1 $IP_LIST >> $CHK_IP_LIST | |
} | |
# Get a file that contains IP address list for each country | |
IP_LIST=/tmp/cidr.txt | |
CHK_IP_LIST=/tmp/IPLIST | |
if [ ! -f $IP_LIST ]; then | |
wget -q http://nami.jp/ipv4bycc/cidr.txt.gz | |
gunzip -c cidr.txt.gz > $IP_LIST | |
rm -f cidr.txt.gz | |
fi | |
rm -f $CHK_IP_LIST | |
# allow access from Japan | |
ACCEPT_COUNTRY_MAKE JP | |
echo "-A INPUT -j ACCEPT_COUNTRY" >> $IPTABLES_CONFIG_TMP | |
# record and drop access from top 6 countries that attack national police facilities (except US and Japan) | |
# last week: http://www.npa.go.jp/cyberpolice/detect/observation.html | |
# last month: https://www.npa.go.jp/cyberpolice/detect/ | |
DROP_COUNTRY_MAKE CN | |
DROP_COUNTRY_MAKE KR | |
DROP_COUNTRY_MAKE VN | |
DROP_COUNTRY_MAKE TW | |
DROP_COUNTRY_MAKE BR | |
DROP_COUNTRY_MAKE RU | |
echo "-A INPUT -j DROP_COUNTRY" >> $IPTABLES_CONFIG_TMP | |
echo "COMMIT" >> $IPTABLES_CONFIG_TMP | |
# load iptables configuration | |
# https://serverfault.com/questions/69510/i-have-a-file-with-all-the-iptable-settings-how-do-i-load-this-into-my-server | |
iptables-restore < $IPTABLES_CONFIG_TMP | |
rm -f $IPTABLES_CONFIG_TMP | |
# save iptables configuration | |
iptables-save > $IPTABLES_CONF |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
# set the value of difference check threshold | |
# http://centossrv.com/bbshtml/webpatio/1592.shtml | |
SABUN_CHK=50 | |
[ $# -ne 0 ] && SABUN_CHK=${1} | |
# set variables | |
IP_LIST=/tmp/cidr.txt | |
CHK_IP_LIST=/tmp/IPLIST | |
IPTABLES_SCRIPT='country_iptables.sh' | |
MESSAGE="${IPTABLES_SCRIPT} not executed." | |
WEBHOOK_URL='https://hooks.slack.com/services/XXXXXX/XXXXXX/XXXXXX' | |
# obtain cidr.txt.gz file | |
wget -q http://nami.jp/ipv4bycc/cidr.txt.gz | |
gunzip -c cidr.txt.gz > $IP_LIST | |
rm -f cidr.txt.gz | |
# create a new file that contains IP address list of each country | |
rm -f IPLIST.new | |
for country in `awk '{print $1}' $CHK_IP_LIST | uniq` | |
do | |
grep ^$country $IP_LIST >> IPLIST.new | |
done | |
# IP address list update check | |
diff -q $CHK_IP_LIST IPLIST.new > /dev/null 2>&1 | |
if [ $? -ne 0 ]; then | |
if [ ${SABUN_CHK} -ne 0 ]; then | |
if [ $(diff $CHK_IP_LIST IPLIST.new | egrep -c '<|>') -gt ${SABUN_CHK} ]; then | |
curl -X POST --data-urlencode 'payload={"channel": "#alerts", "username": "alerts", "text": "'"${MESSAGE}"'", "icon_emoji": ":dog:"}' ${WEBHOOK_URL} | |
rm -f IPLIST.new | |
exit | |
fi | |
fi | |
/bin/mv IPLIST.new $CHK_IP_LIST | |
sh ${IPTABLES_SCRIPT} > /dev/null | |
else | |
rm -f IPLIST.new | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment