/
block-ipaddresses-by-country.sh
90 lines (77 loc) · 2.42 KB
/
block-ipaddresses-by-country.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/bash
# internet-facing network interface
iface=eth0
# local port numbers to check for connections from unwanted IP addresses
ports=(22 3306 25060 443 80 5900 222)
# whitelisted country codes
whitelist=(CA EG KW)
if [[ $1 == '-v' ]]; then
debug=1
fi
# get foreign IP addresses from connections to our specified local port numbers
estconnsres=/tmp/estconns
netstat -tun | awk '{print $4":"$5}' | awk -F: '{print $1":"$2":"$3}' | tail -n+3 > ${estconnsres}
if [[ ${debug} == 1 ]]; then
echo "Foreign connections:"
cat ${estconnsres}
fi
estconnportres=/tmp/estconnportres
ipaddrs=()
for port in ${ports[@]}; do
if [[ ${debug} == 1 ]]; then
echo "Checking for port "${port}
fi
cat ${estconnsres} | grep ":${port}:" > ${estconnportres}
if [ -s ${estconnportres} ]; then
for entry in `cat ${estconnportres}`; do
if [[ ${debug} == 1 ]]; then
echo "Adding entry: "${entry}
fi
ipaddrs+=(`echo ${entry} | awk -F: '{print $3}'`)
done
fi
done
if [[ ${debug} == 1 ]]; then
echo "IP address list:"
for entry in ${ipaddrs[@]}; do
echo ${entry}
done
fi
whoisres=/tmp/whoisres
for ipaddr in ${ipaddrs[@]}; do
whois ${ipaddr} > ${whoisres}
# extract country code from whois result
country=`cat ${whoisres} | grep 'country:' | awk '{print $2}'`
# extract IP address range from whois result
inetnum=`cat ${whoisres} | grep 'inetnum:' | awk '{print $2"-"$4}'`
if [[ -z ${inetnum} ]]; then
inetnum=`cat ${whoisres} | grep 'NetRange:' | head -n 1 | awk '{print $2"-"$4}'`
fi
found=0
for entry in "${whitelist[@]}"; do
if [[ ${country} == ${entry} ]]; then
found=1
break
fi
done
if [[ ${found} == 1 ]]; then
if [[ ${debug} == 1 ]]; then
echo "Allowing ${ipaddr}"
fi
continue
fi
if [[ ${debug} == 1 ]]; then
echo "Blackist ${ipaddr} in range ${inetnum}"
fi
if [[ ${found} -eq 0 && -n ${inetnum} ]]; then
res=`iptables -L INPUT | grep ${inetnum}`
if [[ -n ${res} ]]; then
echo "The following rule already exists:"
echo ${res}
else
# block using iptables
echo "Executing: iptables -A INPUT -i ${iface} -m iprange --src-range ${inetnum} -j DROP"
iptables -A INPUT -i ${iface} -m iprange --src-range ${inetnum} -j DROP
fi
fi
done