-
Notifications
You must be signed in to change notification settings - Fork 4
/
geoip-shell-apply.sh
123 lines (91 loc) · 2.33 KB
/
geoip-shell-apply.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/bin/sh
# shellcheck disable=SC2317,SC2154,SC2086,SC1090,SC2034
# geoip-shell-apply.sh
# Copyright: antonk (antonk.d3v@gmail.com)
# github.com/friendly-bits
## Initial setup
p_name="geoip-shell"
. "/usr/bin/${p_name}-geoinit.sh" || exit 1
san_args "$@"
newifs "$delim"
set -- $_args; oldifs
## USAGE
usage() {
cat <<EOF
Usage: $me <action> [-l <"list_ids">] [-d] [-V] [-h]
Switches geoip blocking on/off, or loads/removes ip sets and firewall rules for specified lists.
Actions:
on|off : enable or disable the geoip blocking chain (via a rule in the base chain)
add|remove : Add or remove ip sets and firewall rules for lists specified with the '-l' option
Options:
-l $list_ids_usage
-d : Debug
-V : Version
-h : This help
EOF
}
die_a() {
destroy_tmp_ipsets
set +f; rm -f "$iplist_dir/"*.iplist; set -f
die "$@"
}
# populates $counter_val for rule $1
get_counter_val() {
rule_md5="$(get_md5 "$1")"
eval "counter_val=\"\$counter_$rule_md5\""
debugprint "counter val for '$1': '$counter_val'"
[ ! "$counter_val" ] && {
case "$_fw_backend" in
nft) counter_val="packets 0 bytes 0" ;;
ipt) counter_val="[0:0]"
esac
}
}
## PARSE ARGUMENTS
# check for valid action
action="$1"
case "$action" in
add|remove|on|off|update) shift ;;
*) unknownact
esac
# process the rest of the args
while getopts ":l:dVh" opt; do
case $opt in
l) list_ids=$OPTARG ;;
d) debugmode_arg=1 ;;
V) echo "$curr_ver"; exit 0 ;;
h) usage; exit 0 ;;
*) unknownopt
esac
done
shift $((OPTIND-1))
extra_args "$@"
is_root_ok
setdebug
debugentermsg
## VARIABLES
get_config_vars
debugprint "ip lists: '$ip_lists'"
tolower action
geotag_aux="${geotag}_aux"
## CHECKS
checkvars datadir geomode ifaces _fw_backend noblock iplist_dir
[ "$ifaces" != all ] && {
all_ifaces="$(detect_ifaces)" || die "$FAIL detect network interfaces."
nl2sp all_ifaces
subtract_a_from_b "$all_ifaces" "$ifaces" bad_ifaces
[ "$bad_ifaces" ] && die "Network interfaces '$bad_ifaces' do not exist in this system."
}
## MAIN
debugprint "loading the $_fw_backend library..."
. "$_lib-$_fw_backend.sh" || exit 1
case "$geomode" in
whitelist) iplist_verdict=accept; fw_target=ACCEPT ;;
blacklist) iplist_verdict=drop; fw_target=DROP ;;
*) die "Unknown firewall mode '$geomode'."
esac
case "$action" in
on) geoip_on; exit ;;
off) geoip_off; exit
esac
apply_rules