3

Currently I'm using this script to block China's IP address:

# Create the ipset list
ipset -N china hash:net

# remove any old list that might exist from previous runs of this script
rm cn.zone

# Pull the latest IP set for China
wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone

# Add each IP address from the downloaded list into the ipset 'china'
for i in $(cat ./cn.zone ); do ipset -A china $i; done

# Restore iptables
/sbin/iptables-restore < /etc/iptables/rules.v4

This works fine but how can I use it with multiple countries?

I tried this but it doesn't work:

ipset -N blockall hash:net
rm blockall.zone

for i in $(wget -P . http://www.ipdeny.com/ipblocks/data/countries/{cn,in,iq,af,ir,ae,sg,hk,kw,kg}.zone);
do ipset -A blockall $i; done

/sbin/iptables-restore < /etc/iptables/rules.v4

UPDATE

Based on Agnul's answer, I tried this:

rm blockall.zone
# pull files for each country
wget -P . http://www.ipdeny.com/ipblocks/data/countries/{cn,in,iq,af,ir,ae,sg,hk,kw,kg}.zone

# for each country file
for c in *.zone; do

  #for each line in country
  while read i; do
    ipset -A blockall $i;
  done <"$c"

done

Then I chmod my script

chmod +x /etc/block-blockall.sh

However it doesn't create the file blockall.zone or singular file *.zone as it should.

Improve this question
1
  • It doesn't work because this {cn,in,iq,af,ir,ae,sg,hk,kw,kg} it's wrong...what's the right method of array in bash? Apologies in advance for the simplicity of this question Commented May 27, 2016 at 10:03

2 Answers 2

Reset to default
4
+50

Assuming the first script, china's one, is doing what you expect, try this one to handle several countries:

#!/bin/bash

COUNTRIES="cn in iq af ir ae sg hk kw kg"

ipset -N blockall hash:net

for country in $COUNTRIES; do
  wget -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone 2>/dev/null | while read ip; do
    ipset -A blockall $ip; 
  done
done


/sbin/iptables-restore < /etc/iptables/rules.v4

note temporary file is not need nor used.

If, for any reason, the temporary file is need, use:

#!/bin/bash

COUNTRIES="cn in iq af ir ae sg hk kw kg" 
ZONEFILE=blockall.zone

rm -f $ZONEFILE

ipset -N blockall hash:net

for country in $COUNTRIES; do
  wget -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone 2>/dev/null >> $ZONEFILE
done

while read ip; do
  ipset -A blockall $ip; 
done < $ZONEFILE

/sbin/iptables-restore < /etc/iptables/rules.v4
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Something like

# pull files for each country
wget -P . http://www.ipdeny.com/ipblocks/data/countries/{cn,in,iq,af,ir,ae,sg,hk,kw,kg}.zone

# for each country file
for c in *.zone; do

  #for each line in country
  while read i; do
    ipset -A blockall $i;
  done <"$c"

done

should work.

Improve this answer

9 Comments

I tried but same error --2016-05-27 10:33:18-- http://www.ipdeny.com/ipblocks/data/countries/%7Bcn,in,iq,af,ir,ae,sg,hk,kw,kg%7D.zone Resolving www.ipdeny.com (www.ipdeny.com)... 192.xxx.xxx.22 Connecting to www.ipdeny.com (www.ipdeny.com)|192.xxx.xxx.22|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2016-05-27 10:33:18 ERROR 404: Not Found.
for i in $(cat ...) is an antipattern. Use a while-read loop instead. Also, it should be "$c" alone, and not $c.zone, since the expansion $c will have the trailing .zone.
yeah I didn't really try that ;-) my bad.
www.ipdeny.com/ipblocks/data/countries/{cn,in,iq,af,ir,ae,sg,hk,kw,kg}.zone is not valid URL
If the shell used is bash as the tags and title claim, then brace expansion generates a list of potentially valid URLs: www.ipdeny.com/ipblocks/data/countries/cn.zone www.ipdeny.com/ipblocks/data/countries/in.zonewww.ipdeny.com/ipblocks/data/countries/kw.zone www.ipdeny.com/ipblocks/data/countries/kg.zone. If the shell in use is not Bash (e.g. /bin/sh), then the expansion may not occur (/bin/sh might not be Bash, for example).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.