template_iptables.sh: added rules to block countries netblocks via ipset

2019-03-04 22:59:39 +01:00 · 2019-03-04 22:59:39 +01:00 · 22c3c138ec
commit 22c3c138ec
parent 91e840746a
1 changed files with 21 additions and 8 deletions
--- a/template_iptables.sh
+++ b/template_iptables.sh
@ -22,20 +22,33 @@ check_error()
 trap check_error EXIT

 # Flush rules and set default rules
-$IPT -F
-$IPT -P INPUT DROP
-$IPT -P FORWARD DROP
-$IPT -P OUTPUT ACCEPT
+${IPT} -F
+${IPT} -P INPUT DROP
+${IPT} -P FORWARD DROP
+${IPT} -P OUTPUT ACCEPT

 # Set host sepcific rules
 ### Accept all data from "lo" interface
-$IPT -A INPUT -i lo -j ACCEPT
+${IPT} -A INPUT -i lo -j ACCEPT

 ### Accept all connections after the three-way handshake
-$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+### Block country zones
+if [ "${IPSET}" == "" ]; then
+        echo "No ipset command found. Skipping"
+else
+    for chain in $(${IPSET} list -name);
+    do if [ "${chain}" == "" ]; then
+	   echo "No ipset chain found. Skipping"
+       else
+	   ${IPT} -A INPUT -p tcp -m set --match-set ${chain} src -j DROP;
+       fi
+    done
+fi

 ### Services rules
 ##### Allow connections to the server main ip for SSH, MOSH and psyBNC
 ##### Use multiports extension to set more ports in a oneline rule
-$IPT -A INPUT -p tcp -d $MAINIP -m multiport --dports $DPORTSIN -j ACCEPT
-$IPT -A INPUT -p udp -d $MAINIP -m multiport --dports $MOSHIN -j ACCEPT
+${IPT} -A INPUT -p tcp -d ${MAINIP} -m multiport --dports ${DPORTSIN} -j ACCEPT
+${IPT} -A INPUT -p udp -d ${MAINIP} -m multiport --dports ${MOSHIN} -j ACCEPT