From d1f589a9d83344d3678bea1dabaa37c48aa1eb01 Mon Sep 17 00:00:00 2001
From: Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
Date: Tue, 7 Mar 2023 13:28:37 -0800
Subject: [PATCH] add firewall-blacklist-zone.sh

---
 sbin/firewall-blacklist-zone.sh | 34 +++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100755 sbin/firewall-blacklist-zone.sh

diff --git a/sbin/firewall-blacklist-zone.sh b/sbin/firewall-blacklist-zone.sh
new file mode 100755
index 0000000..02cf923
--- /dev/null
+++ b/sbin/firewall-blacklist-zone.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Zone (2 letter country code) should be first arg
+if [ -n "$1" ]; then
+  zone=$1
+else
+  echo "zone not set"
+  exit 1
+fi
+
+if [[ -f /etc/firewalld/ipsets/ipdeny-$zone-zone.xml ]]; then
+
+  echo "IPSet file for zone $zone already exists."
+
+else
+
+  cd /usr/local/src/
+  wget https://www.ipdeny.com/ipblocks/data/countries/$zone.zone
+
+  if [[ -f $zone.zone ]]; then
+
+    name=`isoquery $zone|cut -f4-`
+    modified=`stat -c '%y' $zone.zone`
+
+    firewall-cmd --permanent --new-ipset=ipdeny-$zone-zone --type=hash:net
+    firewall-cmd --permanent --ipset=ipdeny-$zone-zone --set-short=$zone.zone
+    firewall-cmd --permanent --ipset=ipdeny-$zone-zone --set-description="$name IPs from ipdeny.com updated $modified"
+    firewall-cmd --permanent --ipset=ipdeny-$zone-zone --add-entries-from-file=/usr/local/src/$zone.zone
+    firewall-cmd --permanent --zone=drop --add-source=ipset:ipdeny-$zone-zone
+    firewall-cmd --reload
+
+  fi
+
+fi