block ip address by country unit

country_iptables.sh

#! /bin/bash

# set conf file path
IPTABLES_CONF='/etc/iptables/rules.v4'

# temporary iptables config file
IPTABLES_CONFIG_TMP=`mktemp`

# default rule
echo "*filter" >> $IPTABLES_CONFIG_TMP
echo ":INPUT DROP [0:0]" >> $IPTABLES_CONFIG_TMP       # Drop input as default
echo ":OUTPUT ACCEPT [0:0]" >> $IPTABLES_CONFIG_TMP    # Allow all output
echo ":ACCEPT_COUNTRY - [0:0]" >> $IPTABLES_CONFIG_TMP # Allow specified country access
echo ":DROP_COUNTRY - [0:0]" >> $IPTABLES_CONFIG_TMP   # Drop specified country access
echo ":LOGGING - [0:0]" >> $IPTABLES_CONFIG_TMP

# ACCEPT_COUNTRY_MAKE : allow access from specified country's ip addresses
ACCEPT_COUNTRY_MAKE(){
    for addr in `cat /tmp/cidr.txt|grep ^$1|awk '{print $2}'`
    do
        echo "-A ACCEPT_COUNTRY -s $addr -j ACCEPT" >> $IPTABLES_CONFIG_TMP
    done
    grep ^$1 $IP_LIST >> $CHK_IP_LIST
}

# DROP_COUNTRY_MAKE : drop access from specified country's ip addresses
DROP_COUNTRY_MAKE(){
    for addr in `cat /tmp/cidr.txt|grep ^$1|awk '{print $2}'`
    do
        echo "-A DROP_COUNTRY -s $addr -m limit --limit 1/s -j LOG --log-prefix \"DROP:\"" >> $IPTABLES_CONFIG_TMP
        echo "-A DROP_COUNTRY -s $addr -j DROP" >> $IPTABLES_CONFIG_TMP
    done
    grep ^$1 $IP_LIST >> $CHK_IP_LIST
}

# Get a file that contains IP address list for each country
IP_LIST=/tmp/cidr.txt
CHK_IP_LIST=/tmp/IPLIST
if [ ! -f $IP_LIST ]; then
    wget -q http://nami.jp/ipv4bycc/cidr.txt.gz
    gunzip -c cidr.txt.gz > $IP_LIST
    rm -f cidr.txt.gz
fi
rm -f $CHK_IP_LIST

# allow access from Japan
ACCEPT_COUNTRY_MAKE JP
echo "-A INPUT -j ACCEPT_COUNTRY" >> $IPTABLES_CONFIG_TMP

# record and drop access from top 6 countries that attack national police facilities (except US and Japan)
# last week: http://www.npa.go.jp/cyberpolice/detect/observation.html
# last month: https://www.npa.go.jp/cyberpolice/detect/
DROP_COUNTRY_MAKE CN
DROP_COUNTRY_MAKE KR
DROP_COUNTRY_MAKE VN
DROP_COUNTRY_MAKE TW
DROP_COUNTRY_MAKE BR
DROP_COUNTRY_MAKE RU
echo "-A INPUT -j DROP_COUNTRY" >> $IPTABLES_CONFIG_TMP

echo "COMMIT" >> $IPTABLES_CONFIG_TMP

# load iptables configuration
# https://serverfault.com/questions/69510/i-have-a-file-with-all-the-iptable-settings-how-do-i-load-this-into-my-server
iptables-restore < $IPTABLES_CONFIG_TMP
rm -f $IPTABLES_CONFIG_TMP

# save iptables configuration
iptables-save  > $IPTABLES_CONF

update_country_iptables.sh

#!/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# set the value of difference check threshold
# http://centossrv.com/bbshtml/webpatio/1592.shtml
SABUN_CHK=50
[ $# -ne 0 ] && SABUN_CHK=${1}

# set variables
IP_LIST=/tmp/cidr.txt
CHK_IP_LIST=/tmp/IPLIST
IPTABLES_SCRIPT='country_iptables.sh'
MESSAGE="${IPTABLES_SCRIPT} not executed."
WEBHOOK_URL='https://hooks.slack.com/services/XXXXXX/XXXXXX/XXXXXX'


# obtain cidr.txt.gz file
wget -q http://nami.jp/ipv4bycc/cidr.txt.gz
gunzip -c cidr.txt.gz > $IP_LIST
rm -f cidr.txt.gz

# create a new file that contains IP address list of each country
rm -f IPLIST.new
for country in `awk '{print $1}' $CHK_IP_LIST | uniq`
do
    grep ^$country $IP_LIST >> IPLIST.new
done

# IP address list update check
diff -q $CHK_IP_LIST IPLIST.new > /dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ ${SABUN_CHK} -ne 0 ]; then
        if [ $(diff $CHK_IP_LIST IPLIST.new | egrep -c '<|>') -gt ${SABUN_CHK} ]; then
            curl -X POST --data-urlencode 'payload={"channel": "#alerts", "username": "alerts", "text": "'"${MESSAGE}"'", "icon_emoji": ":dog:"}' ${WEBHOOK_URL}
            rm -f IPLIST.new
            exit
        fi
    fi
    /bin/mv IPLIST.new $CHK_IP_LIST
    sh ${IPTABLES_SCRIPT} > /dev/null
else
    rm -f IPLIST.new
fi