Shell Blocking Scripts:

Both scripts require SuperUser to be activated and run from BASH and IPTables must be implemented as well.  I make NO Claims to the use of these or how you implement them on your system.  Nor do I warranty or will I support them in any way.  Use them at YOUR OWN RISK, and by all means if you don’t understand the code.  Don’t Use them.

blockingscript.sh

#!/bin/bash
# Originally from http://www.cyberciti.biz/faq/block-entier-country-using-iptablesif [ “$(id -u)” != “0” ]; then
echo “This Script must be run as root” 1>&2
exit 1
fi### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###
ISO=”af ar cn kr ru hu id ir iq pk” ### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep### No editing below ###
CBLIST=”countrydrop”
ZONEROOT=”/var/iptables”
IPTCBRESTORE=”/etc/sysconfig/iptables.cb”
IPTCBDEVICE=eth0
ALLOWPORTS=80,443
ALLOWSUBNET=192.168.0.0/255.255.0.0
MAXZONEAGE=7
DLROOT=”http://www.ipdeny.com/ipblocks/data/countries”cleanOldRules(){
    $IPT -L $CBLIST > /dev/null 2>&1
    if [ $? = 0 ] ; then
    $IPT -D INPUT ${IPTCBDEVICE:+-i }${IPTCBDEVICE} -j $CBLIST
    $IPT -D OUTPUT ${IPTCBDEVICE:+-o }${IPTCBDEVICE} -j $CBLIST
    $IPT -D FORWARD ${IPTCBDEVICE:+-i }${IPTCBDEVICE} -j $CBLIST
    fi
    $IPT -F $CBLIST
    $IPT -X $CBLIST    for i  in `$IPT -L -n | grep Chain | cut -f 2 -d ‘ ‘ | grep ‘\-$CBLIST’`
    do
    $IPT -F ${i}
    $IPT -X ${i}
    done
}updateZoneFiles() {
    ZONEARCH=${ZONEROOT}/arch
    mkdir -p ${ZONEARCH}
    find ${ZONEROOT} -maxdepth 1 -mindepth 1 -ctime +${MAXZONEAGE} -exec mv {} ${ZONEARCH} \;    for c  in $ISO
    do
    # local zone file
    tDB=$ZONEROOT/$c.zone

    if [ -f $tDB ] ; then
        printf “Zone file %s is new enough – no update required.\n” $tDB
    else
        # get fresh zone file if it is newer than MAXZONEAGE days
        $WGET -O $tDB $DLROOT/$c.zone
    fi
    done
    oldzones=`find ${ZONEROOT} -mindepth 1 -maxdepth 1 -type f -exec basename {} \; | cut -f 1 -d ‘.’`
    # Archive old zones no longer blocked
    for z in $oldzones ; do
    archme=${c}
    for c  in $ISO ; do
        if [ $c = $z ] ; then archme=”X”; fi
    done
    if [ $archme = $z ] ; then
        mv ${archme} ${ZONEARCH}
    else
        printf “Working from previous zone file for %s\n” ${z}
    fi
    done
}

createIPTLoadFile() {
    printf “# Generated by %s on” $0 > ${IPTCBRESTORE}
    printf “%s ” `date` >> ${IPTCBRESTORE}
    printf “\n*filter\n” >> ${IPTCBRESTORE}
    # Create CBLIST chain
    printf “:$CBLIST – [0:0]\n” >> ${IPTCBRESTORE}
    printf “%s INPUT ${IPTCBDEVICE:+-i }${IPTCBDEVICE} -j $CBLIST\n” “-I” > ${IPTCBRESTORE}.tmp
    printf “%s OUTPUT ${IPTCBDEVICE:+-o }${IPTCBDEVICE} -j $CBLIST\n” “-I”  >> ${IPTCBRESTORE}.tmp
    printf “%s FORWARD ${IPTCBDEVICE:+-i }${IPTCBDEVICE} -j $CBLIST\n” “-I” >> ${IPTCBRESTORE}.tmp

    if [ “Z${ALLOWPORTS}” = “Z” ] ; then
    printf “Blocking all traffic from country – no ports allowed\n”
    else
    printf “%s $CBLIST -p tcp -m multiport –dports ${ALLOWPORTS} -j RETURN\n” “-I”>> ${IPTCBRESTORE}.tmp
    fi

    if [ “Z${ALLOWSUBNET}” = “Z” ] ; then
    printf “Blocking all traffic from country – no subnets excluded\n”
    else
    printf “%s $CBLIST -s ${ALLOWSUBNET} -j RETURN\n” “-I”>> ${IPTCBRESTORE}.tmp
    fi

    for c  in $ISO
    do
    # local zone file
    tDB=$ZONEROOT/$c.zone

    # country specific log message
    SPAMDROPMSG=”iptables: ${c}-Country-Drop: “

        # Create drop chain for identified packets
    CBLISTDROP=${c}-${CBLIST}-DROP
    printf “:${CBLISTDROP} – [0:0]\n” >> ${IPTCBRESTORE}
    printf “%s ${CBLISTDROP} -j LOG –log-prefix \”$SPAMDROPMSG\”\n” “-A” >> ${IPTCBRESTORE}.tmp
    printf “%s ${CBLISTDROP} -j DROP\n” “-A” >> ${IPTCBRESTORE}.tmp

    # Load IP ranges into chains correlating to first octet
    BADIPS=$(egrep -v “^#|^$” $tDB)
    for ipblock in $BADIPS
    do
        topip=`echo $ipblock | cut -f 1 -d ‘.’`
        chainExists=`grep -c :${topip}-${CBLIST} ${IPTCBRESTORE}`
        if [ $chainExists = 0 ] ; then
        printf “Creating chain for octet %s\n” ${topip}
        printf “:$topip-$CBLIST – [0:0]\n” >> ${IPTCBRESTORE}
        sip=${topip}.0.0.0/8
        printf “%s $CBLIST -s ${sip} -j $topip-$CBLIST\n” “-A” >> ${IPTCBRESTORE}.tmp
        fi
        printf ”  Adding rule for %s to chain for octet %s\n” ${ipblock} ${topip}
        printf “%s $topip-$CBLIST -s $ipblock -j ${CBLISTDROP}\n” “-A” >> ${IPTCBRESTORE}.tmp
    done
    done
    cat ${IPTCBRESTORE}.tmp >> ${IPTCBRESTORE} && rm -f ${IPTCBRESTORE}.tmp
    printf “COMMIT\n# Completed on ” >> ${IPTCBRESTORE}
    printf “%s ” `date` >> ${IPTCBRESTORE}
    printf “\n” >> ${IPTCBRESTORE}
}

directLoadTables() {
    # Create CBLIST chain
    $IPT -N $CBLIST
    $IPT -I INPUT ${IPTCBDEVICE:+-i }${IPTCBDEVICE} -j $CBLIST
    $IPT -I OUTPUT ${IPTCBDEVICE:+-o }${IPTCBDEVICE} -j $CBLIST
    $IPT -I FORWARD ${IPTCBDEVICE:+-i }${IPTCBDEVICE} -j $CBLIST

    if [ “Z${ALLOWPORTS}” = “Z” ] ; then
    printf “Blocking all traffic from country – no ports allowed\n”
    else
    $IPT -I $CBLIST -p tcp -m multiport –dports ${ALLOWPORTS} -j RETURN
    fi

    if [ “Z${ALLOWSUBNET}” = “Z” ] ; then
    printf “Blocking all traffic from country – no subnets allowed\n”
    else
    $IPT -I $CBLIST -s ${ALLOWSUBNET} -j RETURN
    fi

    for c  in $ISO
    do
    # local zone file
    tDB=$ZONEROOT/$c.zone

    # country specific log message
    SPAMDROPMSG=”$c Country Drop”

        # Create drop chain for identified packets
    CBLISTDROP=${c}-${CBLIST}-DROP
    $IPT -N ${CBLISTDROP}
    $IPT -A ${CBLISTDROP} -j LOG –log-prefix “$SPAMDROPMSG”
    $IPT -A ${CBLISTDROP} -j DROP

    # Load IP ranges into chains correlating to first octet
    BADIPS=$(egrep -v “^#|^$” $tDB)
    for ipblock in $BADIPS
    do
        topip=`echo $ipblock | cut -f 1 -d ‘.’`
        $IPT -L $topip-$CBLIST > /dev/null 2>&1
        if [ $? = 1 ] ; then
        printf “Creating chain for octet %s\n” ${topip}
        $IPT -N $topip-$CBLIST
        sip=${topip}.0.0.0/8
        $IPT -A $CBLIST -s ${sip} -j $topip-$CBLIST
        fi
        printf ”  Adding rule for %s to chain for octet %s\n” ${ipblock} ${topip}
        $IPT -A $topip-$CBLIST -s $ipblock -j ${CBLISTDROP}
    done
    done
}

loadTables() {
    createIPTLoadFile
    ${IPT}-restore -n ${IPTCBRESTORE}
    #directLoadTables
    printf “Country block instituted for: %s\n” “$ISO”
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules

# update zone files as needed
updateZoneFiles

# create a new iptables list
loadTables

exit 0

 UPDATE 01.02.12 Added removal of some more Replicated lines near end of script.  Also creation of DenyHosts.ip file that can be used in your .htaccess file.

IPBlock.sh

#!/bin/bashif [ “$(id -u)” != “0” ]; then
echo “This Script must be run as root” 1>&2
exit 1
fi### Preserve Former Blacklist.txt
echo ‘Backing up Blacklist Data’
cp Blacklist.ip Blacklist.`date +”%Y%m%d%H%M%S”`.bak### Setting up for Blacklist – Removal and Creation of tmp
echo ‘Removing old datafiles’
if [ -f /tmp/Blacklist*.txt ]
then
echo ‘Removing old datafiles’
rm tmp/Blacklist*.txt
rm -r tmp
rm DenyHosts.ip
else
echo ‘Success, no old datafiles found’
fi

echo ‘Creating tmp directory’
mkdir tmp

### Grab IP from Apache2 error.log
echo ‘Building Blacklist Current Data..’
grep error /var/log/apache2/error.log |cut -d ‘ ‘ -f 8 |tr -d “]” |sort |uniq |sort -n > tmp/Blacklist1.txt

### Grap IP from Apache2 ARCHIVED error.log
echo ‘Building Blacklist Archived Data..’
zcat /var/log/apache2/error.log.*.gz | grep  error |cut -d ‘ ‘ -f 8 |tr -d “]” |sort |uniq |sort -n > tmp/Blacklist2.txt

### Combine Blacklists into newfile Blacklist3.txt
echo ‘Combining Local and Blacklists..’
cat Blacklist.local tmp/Blacklist1.txt tmp/Blacklist2.txt >> tmp/Blacklist3.txt

### Remove any reference to localhost 127.0.0.1 and [LOCAL IP] and [YOUR IP HERE] and unknown statements
echo ‘Removing safe addresses..’
sed -e ‘/127.0.0.1/d’ tmp/Blacklist3.txt >> tmp/Blacklist4.txt
sed -e ‘/192.168.1.*/d’ tmp/Blacklist4.txt >> tmp/Blacklist5.txt
sed -e ‘/[YOUR IP HERE]/d’ tmp/Blacklist5.txt >> tmp/Blacklist6.txt
sed -e ‘/unknown/d’ tmp/Blacklist6.txt >> tmp/Blacklist7.txt

###  Sort IP addresses output to Blacklist7.txt
echo ‘Sorting Blacklist..’
sort -t. -k1,1n -k2,2n -k3,3n -k4,4n tmp/Blacklist7.txt > tmp/Blacklist8.txt

### Remove any Duplicates and output to Blacklist.ip
uniq -u tmp/Blacklist8.txt > tmp/Blacklist.ip
mv /home/Scripting/tmp/Blacklist.ip /home/Scripting/Blacklist.ip

### Create Deny Hosts File
echo ‘Create DenyHosts.ip’
awk  ‘{printf(“deny from %s\n”, $0)}’ Blacklist.ip > DenyHosts.ip

echo ‘Banning…’
BLOCKDB=/home/Scripting/Blacklist.ip
IPS=$(grep -Ev “^#” $BLOCKDB)
for i in $IPS
do
iptables -vA INPUT -s $i -j DROP
iptables -vA OUTPUT -d $i -j DROP
done

echo ‘Backing up Rules…’
iptables-save > rules.txt
rm /home/public_html/Blacklist.ip
cp /home/Scripting/Blacklist.ip /home/public_html/Blacklist.ip

### Remove old files
echo ‘Cleanup…’
rm tmp/*.txt
rm -r tmp
echo ‘Complete’