#!/bin/bash
set -euo pipefail
   
#casysctl net.ipv4.ip_forward

echo -e "
░█████╗░███╗░░██╗██████╗░██████╗░░█████╗░░██████╗
██╔══██╗████╗░██║██╔══██╗██╔══██╗██╔══██╗██╔════╝
███████║██╔██╗██║██║░░██║██║░░██║██║░░██║╚█████╗░
██╔══██║██║╚████║██║░░██║██║░░██║██║░░██║░╚═══██╗
██║░░██║██║░╚███║██████╔╝██████╔╝╚█████╔╝██████╔╝
╚═╝░░╚═╝╚═╝░░╚══╝╚═════╝░╚═════╝░░╚════╝░╚═════╝░"

COUNTRIES="cn ru in br id vn pk tr ir eg bd mx za ua kr ng ph"
ZONE_DIR="zone"

mkdir -p "$ZONE_DIR"


iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t raw -F
iptables -t mangle -F
iptables -F
iptables -X


function add_iptables_rule() {
    local chain=$1
    local set_name=$2

    if iptables -t raw -C "$chain" -m set --match-set "$set_name" src -j DROP 2>/dev/null; then
        echo "Regra iptables já existe: $chain → $set_name"
    else
        echo "Inserindo regra iptables: $chain → $set_name"
        iptables -t raw -I "$chain" -i vmbr0 -m set --match-set "$set_name" src -j DROP
    fi
}


# https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/ip2location_country/ip2location_country_${country}.netset
# https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/geolite2_country/country_${country}.netset
# https://www.ipdeny.com/ipblocks/data/countries/${country}.zone




for country in $COUNTRIES; do 
    url="https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/geolite2_country/country_${country}.netset" #
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Baixando lista IPs: $country"

    tmp_file2="${ZONE_DIR}/${country}.zone.tmp2"
    tmp_file="${ZONE_DIR}/${country}.zone.tmp"
    target_file="${ZONE_DIR}/${country}.zone"

    if curl -sSf -o "$tmp_file2" "$url"; then
        grep -Eo '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+(/[0-9]+)?$' "$tmp_file2" > "$tmp_file"
        rm "$tmp_file2"


        if [ -f "$target_file" ] && cmp -s "$tmp_file" "$target_file"; then
            echo "[$country] Arquivo inalterado."
            rm "$tmp_file"
        else
            echo "[$country] Atualizando IPs."
            mv "$tmp_file" "$target_file"
        fi
    else
        echo "[$country] Falha no download. Mantendo antigo (se existir)."
        [ -f "$tmp_file" ] && rm "$tmp_file"
        continue
    fi

    if ipset list "$country" &>/dev/null; then
        echo "[$country] Limpando ipset antigo..."
        ipset destroy "$country"
        ipset create "$country" hash:net maxelem 262144
    else
        echo "[$country] Criando novo ipset..."
        ipset create "$country" hash:net maxelem 262144
    fi

    while read -r subnet; do
        ipset add "$country" "$subnet" -exist || echo "Falha ao adicionar: $subnet"
        echo "[$country | $subnet] Criando novo ipset..."
    done < "$target_file"

    add_iptables_rule PREROUTING "$country"
    echo "[$country] Proteção configurada."
done


echo "[$(date '+%Y-%m-%d %H:%M:%S')] ✅ Proteção geográfica concluída!"