#!/bin/bash function rebuild_blacklist () { echo "Empty $FIREWALL_BLACKLIST" /usr/sbin/iptables -D INPUT -p tcp -m set --match-set $FIREWALL_BLACKLIST src -m multiport --dports 80,443 -j DROP /usr/sbin/ipset -F $FIREWALL_BLACKLIST /usr/sbin/ipset list $FIREWALL_BLACKLIST # This needs to be done or rule gets duplicated /usr/sbin/ipset -X $FIREWALL_BLACKLIST /usr/sbin/ipset -N $FIREWALL_BLACKLIST hash:net -exist echo "Rebuilding $FIREWALL_BLACKLIST" while IFS= read -r line; do THIS_LINE=$line echo "$THIS_LINE" | awk -F "#" '{print $1}' > IP THIS_IP=`cat IP` CLEAN_IP="$(echo -e "${THIS_IP}" | sed -e 's/[[:space:]]*$//')" echo "Adding $CLEAN_IP" /usr/sbin/ipset -A $FIREWALL_BLACKLIST $THIS_IP done < $FIREWALL_BLACKLIST echo "Adding $FIREWALL_BLACKLIST to iptables INPUT DROP" /usr/sbin/iptables -A INPUT -p tcp -m set --match-set $FIREWALL_BLACKLIST src -m multiport --dports 80,443 -j DROP } function update_blacklist_files () { if [[ -f ipset_file_list ]] then rm -rf ipset_file_list fi wget https://rocky.advalgo.com/server_builds/firewall/ipset_file_list UPDATED_FILES=$(< ipset_file_list) for FILE in $UPDATED_FILES do if [[ -f $FILE ]] then if [[ -d "backup-blacklist" ]] then mv $FILE "backup-blacklist" else mkdir "backup-blacklist" mv $FILE "backup-blacklist" fi fi wget https://rocky.advalgo.com/server_builds/firewall/ipset_files/$FILE if [[ $? -eq 0 ]] then FIREWALL_BLACKLIST=$FILE echo "Updating from new $FILE..." rebuild_blacklist else FIREWALL_BLACKLIST="backup-blacklist/$FILE" echo "Download of update $FILE failed leaving current list intact." fi done } if [[ -f run_status ]] then rm -rf run_status fi wget http://rocky.advalgo.com/server_builds/firewall/run_status THIS_RUN=$(< run_status) if [[ $THIS_RUN != 'no change' ]] then echo $THIS_RUN update_blacklist_files fi echo "Done! Finished! Completed! Resolved! Ended! run status $THIS_RUN"