98 lines
3.6 KiB
Bash
98 lines
3.6 KiB
Bash
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
#casysctl net.ipv4.ip_forward
|
|
|
|
echo -e "
|
|
░█████╗░███╗░░██╗██████╗░██████╗░░█████╗░░██████╗
|
|
██╔══██╗████╗░██║██╔══██╗██╔══██╗██╔══██╗██╔════╝
|
|
███████║██╔██╗██║██║░░██║██║░░██║██║░░██║╚█████╗░
|
|
██╔══██║██║╚████║██║░░██║██║░░██║██║░░██║░╚═══██╗
|
|
██║░░██║██║░╚███║██████╔╝██████╔╝╚█████╔╝██████╔╝
|
|
╚═╝░░╚═╝╚═╝░░╚══╝╚═════╝░╚═════╝░░╚════╝░╚═════╝░"
|
|
|
|
COUNTRIES="cn ru us in br id vn pk tr ir eg bd mx za ua kr ng ph"
|
|
ZONE_DIR="zone"
|
|
|
|
mkdir -p "$ZONE_DIR"
|
|
|
|
|
|
iptables -P INPUT ACCEPT
|
|
iptables -P FORWARD ACCEPT
|
|
iptables -P OUTPUT ACCEPT
|
|
iptables -t nat -F
|
|
iptables -t raw -F
|
|
iptables -t mangle -F
|
|
iptables -F
|
|
iptables -X
|
|
|
|
|
|
function add_iptables_rule() {
|
|
local chain=$1
|
|
local set_name=$2
|
|
|
|
if iptables -t raw -C "$chain" -m set --match-set "$set_name" src -j DROP 2>/dev/null; then
|
|
echo "Regra iptables já existe: $chain → $set_name"
|
|
else
|
|
echo "Inserindo regra iptables: $chain → $set_name"
|
|
iptables -t raw -I "$chain" -i vmbr0 -m set --match-set "$set_name" src -j DROP
|
|
fi
|
|
}
|
|
|
|
|
|
# https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/ip2location_country/ip2location_country_${country}.netset
|
|
# https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/geolite2_country/country_${country}.netset
|
|
# https://www.ipdeny.com/ipblocks/data/countries/${country}.zone
|
|
|
|
|
|
|
|
|
|
for country in $COUNTRIES; do
|
|
url="https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/geolite2_country/country_${country}.netset" #
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] Baixando lista IPs: $country"
|
|
|
|
tmp_file2="${ZONE_DIR}/${country}.zone.tmp2"
|
|
tmp_file="${ZONE_DIR}/${country}.zone.tmp"
|
|
target_file="${ZONE_DIR}/${country}.zone"
|
|
|
|
if curl -sSf -o "$tmp_file2" "$url"; then
|
|
grep -Eo '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+(/[0-9]+)?$' "$tmp_file2" > "$tmp_file"
|
|
rm "$tmp_file2"
|
|
|
|
|
|
if [ -f "$target_file" ] && cmp -s "$tmp_file" "$target_file"; then
|
|
echo "[$country] Arquivo inalterado."
|
|
rm "$tmp_file"
|
|
else
|
|
echo "[$country] Atualizando IPs."
|
|
mv "$tmp_file" "$target_file"
|
|
fi
|
|
else
|
|
echo "[$country] Falha no download. Mantendo antigo (se existir)."
|
|
[ -f "$tmp_file" ] && rm "$tmp_file"
|
|
continue
|
|
fi
|
|
done
|
|
|
|
for country in $COUNTRIES; do
|
|
if ipset list "$country" &>/dev/null; then
|
|
echo "[$country] Limpando ipset antigo..."
|
|
ipset destroy "$country"
|
|
ipset create "$country" hash:net maxelem 262144
|
|
else
|
|
echo "[$country] Criando novo ipset..."
|
|
ipset create "$country" hash:net maxelem 262144
|
|
fi
|
|
|
|
while read -r subnet; do
|
|
ipset add "$country" "$subnet" -exist || echo "Falha ao adicionar: $subnet"
|
|
echo "[$country | $subnet] Criando novo ipset..."
|
|
done < "$target_file"
|
|
|
|
add_iptables_rule PREROUTING "$country"
|
|
echo "[$country] Proteção configurada."
|
|
done
|
|
|
|
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ✅ Proteção geográfica concluída!"
|