block_countries_iptables.sh

#!/bin/bash
### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###
ISO="af cn th kr"

### Set PATH ###
IPT=/sbin/iptables
IPT_SAVE=/sbin/service
IPT_SAVE_ARGS="iptables save"
WGET=/usr/bin/wget
EGREP=/bin/egrep

### No editing below ###
#SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

### run ./block_countries_iptables.sh flush ###
if [ $1 == "flush" ]
    then
    for c in $ISO
    do
        $IPT -D INPUT -j $c
        $IPT -D OUTPUT -j $c
        $IPT -D FORWARD -j $c
        $IPT -F $c
        $IPT -X $c
        rm $ZONEROOT/$c.zone
    done
    $IPT_SAVE $IPT_SAVE_ARGS
    echo "ALL COUNTRIES REMOVED"
    exit 0
fi
### END ###

cleanOldRules(){
$IPT -D INPUT -j $1
$IPT -D OUTPUT -j $1
$IPT -D FORWARD -j $1
$IPT -F $1
$IPT -X $1
rm $ZONEROOT/$1.zone
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

for c in $ISO
do
    # clean old rules
    [ -f $ZONEROOT/$c.zone ] && cleanOldRules $c

    # create a new iptables list
    $IPT -N $c

    # local zone file
    tDB=$ZONEROOT/$c.zone

    # get fresh zone file
    $WGET -O $tDB $DLROOT/$c.zone

    # country specific log message
    SPAMDROPMSG="$c Country Drop: "

    # get
    BADIPS=$(egrep -v "^#|^$" $tDB)
    for ipblock in $BADIPS
    do
       $IPT -A $c -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
       $IPT -A $c -s $ipblock -j DROP
    done

    # exit chain
    $IPT -A $c -j RETURN

    # Drop everything
    $IPT -I INPUT -j $c
    $IPT -I OUTPUT -j $c
    $IPT -I FORWARD -j $c
done

# call your other iptable script
$IPT_SAVE $IPT_SAVE_ARGS

exit 0