#!/bin/bash
# This script adds entire countries to your iptables firewall blacklist! Use with care!
# Use at your own peril!
# Jim Kerr jim@advalgo.com

# Fuctions for this bash:
#   update_all_country_code_files
#   add_country_to_blacklist

function update_all_country_code_files () {
    if [[ -d "backup-zones" ]]
    then
        echo "backup-zones directory present"
    else
        mkdir "backup-zones"
    fi

    if [[ -f all_country_codes ]]
    then
        echo "all_country_codes present."
    else
        wget https://rocky.advalgo.com/server_builds/firewall/all_country_codes
        if [[ $? -eq 0 ]]
        then
            echo "All country codes collected."
        else
            echo "Getting all country codes failed."
            exit 1
        fi
    fi

    ALL_COUNTRY_CODES=$(< all_country_codes)

    for CC in $ALL_COUNTRY_CODES
    do
        COUNTRY_FILE="$CC-aggregated.zone"
        GET_COUNTRY_BLOCK="https://www.ipdeny.com/ipblocks/data/aggregated/$COUNTRY_FILE"
        BACKUP_FILE="backup-zones/$COUNTRY_FILE"

        echo "Checking $COUNTRY_FILE"
        if [[ -f $BACKUP_FILE ]]
        then
            FILE_DATE=$(date -r $BACKUP_FILE "+%Y%m%d")
            CURRENT_DATE=$(date "+%Y%m%d")
            let DIFF=($(date +%s -d $CURRENT_DATE)-$(date +%s -d $FILE_DATE))/86400
            echo "FILE_DATE: $FILE_DATE CURRENT_DATE: $CURRENT_DATE"
            echo "datediff: $DIFF"
            if [[ $DIFF -gt 9 ]]
            then
                wget $GET_COUNTRY_BLOCK

    			if [[ $? -eq 0 ]]
    			then
        			echo "Download Country IP Blocks for $COUNTRY_FILE successful!"
        			mv $COUNTRY_FILE "backup-zones"
                else
                	echo "Download for $COUNTRY_FILE failed."
    			fi
            fi
        else
            wget $GET_COUNTRY_BLOCK

            if [[ $? -eq 0 ]]
            then
                echo "Download Country IP Blocks for $COUNTRY_FILE successful!"
                mv $COUNTRY_FILE "backup-zones"
            else
                echo "Download for $COUNTRY_FILE failed."
            fi
        fi
    done
}

function add_country_to_blacklist () {

    COUNTRY_BLOCK="block_$COUNTRY"

    echo "Deleting ipset $COUNTRY_BLOCK"
    iptables -D INPUT -m set --match-set $COUNTRY_BLOCK src -j DROP

    echo "Setting new $COUNTRY_BLOCK"
    ipset -N $COUNTRY_BLOCK hash:net -exist
    ipset -F $COUNTRY_BLOCK

    echo "Creating ipset for $COUNTRY_BLOCK"
    for net in `cat $BACKUP_FILE`
    do
         ipset -A $COUNTRY_BLOCK $net
    done

    echo -n "Blocking $COUNTRY with iptables..."
    iptables -I INPUT -m set --match-set $COUNTRY_BLOCK src -j DROP
    echo "Done!"
}

# Check for backup-zones directory:
update_all_country_code_files

if [[ -f all_country_codes ]]
then
    ALL_COUNTRY_CODES=$(< all_country_codes)
    #for COUNTRY in $BLOCK_COUNTRIES
    for COUNTRY in $ALL_COUNTRY_CODES
    do
        COUNTRY_FILE="$COUNTRY-aggregated.zone"
        BACKUP_FILE="backup-zones/$COUNTRY_FILE"

        if [[ -f $BACKUP_FILE ]]
        then
            add_country_to_blacklist
        else
            echo "Country file not found for $BACKUP_FILE"
        fi
    done
else
    echo "Country codes file all_country_codes is not present. Unable to block countries."
fi