#!/bin/bash

# blackholes.us country based iptables blocker 0.4
#
# This script uses the following external programs
# aggregate <URL: http://freshmeat.net/projects/aggregate/ >
# cURL <URL: http://curl.haxx.se/ >
#
# TODO
# - bail out on cURL/transfer error

# Countries to block
COUNTRIES="argentina brazil china hongkong japan korea malaysia nigeria russia singapore taiwan thailand"

# Program paths
AGGREGATE="/usr/bin/aggregate"
CURL="/usr/bin/curl"
IPTABLES="/sbin/iptables"

# Logging
COUNTRY_LOG=1

# Flush rules table
$IPTABLES -X COUNTRY_BLOCK 2>/dev/null

# Create new rules table
$IPTABLES -N COUNTRY_BLOCK

if [ "$COUNTRY_LOG" == "1" ]; then
    for COUNTRY in $COUNTRIES; do
        $CURL http://www.blackholes.us/zones/country/$COUNTRY.txt | sed -e 's/#.*//' | awk {'print $2'} | $AGGREGATE | while read mask; do
            $IPTABLES -A COUNTRY_BLOCK -s $mask -m limit --limit 60/h --limit-burst 1 -j LOG --log-level info --log-prefix "$COUNTRY: "
            $IPTABLES -A COUNTRY_BLOCK -s $mask -j DROP
        done
    done
else
    for COUNTRY in $COUNTRIES; do
        $CURL http://www.blackholes.us/zones/country/$COUNTRY.txt | sed -e 's/#.*//' | awk {'print $2'} | $AGGREGATE | while read mask; do
            $IPTABLES -A COUNTRY_BLOCK -s $mask -j DROP
        done
    done
fi

# Copyright (c) 2003 Toni Viemerö <toni.viemero@iki.fi>
# BSD license