Untitled

#!/usr/bin/env bash
# Early check to ensure running as root.
if [ "$EUID" -ne 0 ]
  then echo "Please run as root"
  exit
fi
# Define a set of ips to block and specify ports.  Port Blocking not working
# Destroy if already exists
if (`/sbin/iptables -C INPUT -p all -m set --match-set geoblock src -j DROP 2>/dev/null`); then
    /sbin/iptables -D INPUT -p all -m set --match-set geoblock src -j DROP
fi
if ( `/sbin/iptables -C INPUT -p all -m set --match-set geoblock src -j LOG --log-prefix "geo deny: " 2>/dev/null`); then
    /sbin/iptables -D INPUT -p all -m set --match-set geoblock src -j LOG --log-prefix "geo deny: "
fi
if (`/sbin/ip6tables -C INPUT -p all -m set --match-set geoblock6 src -j DROP 2>/dev/null`); then
    /sbin/ip6tables -D INPUT -p all -m set --match-set geoblock6 src -j DROP
fi
if ( `/sbin/ip6tables -C INPUT -p all -m set --match-set geoblock6 src -j LOG --log-prefix "geo deny: " 2>/dev/null`); then
    /sbin/ip6tables -D INPUT -p all -m set --match-set geoblock6 src -j LOG --log-prefix "geo deny: "
fi

/sbin/ipset -q destroy geoblock
/sbin/ipset -q destroy geoblock6

# Now rebuild and reinstate blocks -- hast:net,port doesn't work
/sbin/ipset create geoblock hash:net
/sbin/ipset create geoblock6 hash:net family inet6
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone)
do
    # We be blocking
    /sbin/ipset add geoblock $IP
done
for IP in $(wget -O - http://www.ipdeny.com/ipv6/ipaddresses/aggregated/cn-aggregated.zone)
do
    # We be blocking
    /sbin/ipset add geoblock6 $IP
done

/sbin/iptables -I INPUT -p all -m set --match-set geoblock src -j DROP
/sbin/iptables -I INPUT -p all -m set --match-set geoblock src -j LOG --log-prefix "geo deny: "
/sbin/ip6tables -I INPUT -p all -m set --match-set geoblock6 src -j DROP
/sbin/ip6tables -I INPUT -p all -m set --match-set geoblock6 src -j LOG --log-prefix "geo deny: "