Forked from Pandry/Firewalld GeoIP firewall script
Created
November 21, 2022 00:04
-
-
Save kiraitachi/ef303021f0e1b00e33ba3eb5114a377e to your computer and use it in GitHub Desktop.
Block countries IPs via Firewalld
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## | |
# Name: GeoIP Firewall script | |
# Author: Pandry | |
# Version: 0.1.1 | |
# Description: This is a simple script that will set up a GeoIP firewall blocking all the zones excecpt the specified ones | |
# it is possible to add the whitelisted zones @ line 47 | |
# Additional notes: Usage of [iprange](https://github.com/firehol/iprange) is suggested | |
# for best performances | |
## | |
BLACKLIST_NAME="geoblacklist" | |
TMPDIR="/tmp/geoip" | |
if [ $(which yum) ]; then | |
echo -e "[\e[32mOK\e[39m] Detected a RHEL based environment!" | |
echo -e "[\e[93mDOING\e[39m] Making sure firewalld is installed..." | |
yum -y install firewalld > /dev/null 2> /dev/null | |
if [[ $? -eq 0 ]];then | |
echo -e "[\e[32mOK\e[39m] firewalld is installed!" | |
systemctl enable --now firewalld > /dev/null 2> /dev/null | |
else | |
echo -e "[\e[31mFAIL\e[39m] Couldn't install firewalld, aborting!" | |
exit 1 | |
fi | |
elif [ $(which apt) ]; then | |
echo -e "[\e[32mOK\e[39m] Detected a Debian based environment!" | |
echo -e "[\e[93mDOING\e[39m] Making sure firewalld is installed..." | |
apt -y install firewalld > /dev/null 2> /dev/null | |
if [[ $? -eq 0 ]];then | |
echo -e "[\e[32mOK\e[39m] firewalld is installed!" | |
systemctl enable --now firewalld > /dev/null 2> /dev/null | |
else | |
echo -e "[\e[31mFAIL\e[39m] Couldn't install firewalld, aborting!" | |
exit 1 | |
fi | |
elif [ $(which apk) ]; then | |
echo -e "[\e[31mFAIL\e[39m] Alpine Linux is not supported yet!" | |
exit 1 | |
else | |
echo -e "[\e[31mFAIL\e[39m] Couldn't determine the current OS, aborting!" | |
exit 1 | |
fi | |
#Create the blacklist (only if necessary) | |
#200k should be enough - $(find . -name "*.zone" | xargs wc -l) gives 184688 lines without the it zone | |
firewall-cmd --get-ipsets| grep "$BLACKLIST_NAME" > /dev/null 2> /dev/null | |
if [[ $? -ne 0 ]];then | |
echo -e "[\e[93mDOING\e[39m] Creating " | |
firewall-cmd --permanent --new-ipset="$BLACKLIST_NAME" --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=200000 > /dev/null 2> /dev/null | |
if [[ $? -eq 0 ]];then | |
echo -e "[\e[32mOK\e[39m] Blacklist $BLACKLIST_NAME successfully created!" | |
else | |
echo -e "[\e[31mFAIL\e[39m] Couldn't create the blacklist $BLACKLIST_NAME, aborting!" | |
exit 1 | |
fi | |
fi | |
#create the folder | |
mkdir -p $TMPDIR | |
#Downloads the GeoIP database | |
if [[ $? -eq 0 ]];then | |
echo -e "[\e[93mDOING\e[39m] Downloading latest ip database... " | |
curl -L -o $TMPDIR/geoip.tar.gz http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz > /dev/null 2> /dev/null | |
if [[ $? -eq 0 ]];then | |
echo -e "[\e[32mOK\e[39m] Database successfully downloaded!" | |
else | |
echo -e "[\e[31mFAIL\e[39m] Couldn't download the database, aborting!" | |
exit 1 | |
fi | |
else | |
echo -e "[\e[31mFAIL\e[39m] Couldn't create the $TMPDIR directory!" | |
exit 1 | |
fi | |
#Extract the zones in the database | |
tar -xzf $TMPDIR/geoip.tar.gz -C $TMPDIR | |
#Remove all the zones you want to allow | |
rm $TMPDIR/it.zone $TMPDIR/eu.zone | |
#Add the IPs to the blacklist | |
for f in $TMPDIR/*.zone; do | |
echo -e "[\e[93mDOING\e[39m] Adding lines from $f ..." | |
firewall-cmd --permanent --ipset="$BLACKLIST_NAME" --add-entries-from-file=$f > /dev/null | |
if [[ $? -eq 0 ]];then | |
echo -e "[\e[32mOK\e[39m] Added $f with no issues"; | |
else | |
echo -e "[\e[31mFAIL\e[39m] Some errors verified while adding the $f zone"; | |
fi | |
echo "" | |
done | |
# Drop the IPs | |
firewall-cmd --permanent --zone=drop --add-source="ipset:$BLACKLIST_NAME" > /dev/null | |
#Reload the firewall | |
firewall-cmd --reload | |
cd ~ | |
# Remove the traces | |
rm -rf /tmp/geoip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment