#!/bin/bash

# Zone (2 letter country code) should be first arg
if [ -n "$1" ]; then
  zone=$1
else
  echo "zone not set"
  exit 1
fi

if [[ -f /etc/firewalld/ipsets/ipdeny-$zone-zone.xml ]]; then

  echo "IPSet file for zone $zone already exists."

else

  cd /usr/local/src/
  wget https://www.ipdeny.com/ipblocks/data/countries/$zone.zone

  if [[ -f $zone.zone ]]; then

    name=`isoquery $zone|cut -f4-`
    modified=`stat -c '%y' $zone.zone`

    firewall-cmd --permanent --new-ipset=ipdeny-$zone-zone --type=hash:net
    firewall-cmd --permanent --ipset=ipdeny-$zone-zone --set-short=$zone.zone
    firewall-cmd --permanent --ipset=ipdeny-$zone-zone --set-description="$name IPs from ipdeny.com updated $modified"
    firewall-cmd --permanent --ipset=ipdeny-$zone-zone --add-entries-from-file=/usr/local/src/$zone.zone
    firewall-cmd --permanent --zone=drop --add-source=ipset:ipdeny-$zone-zone
    firewall-cmd --reload

  fi

fi