#!/bin/bash

# CRON Entry every 10 minutes
# */10 * * * * /bin/bash /IPBlockLists/run.sh >>/IPBlockLists/update.log 2>&1


cd "$(readlink -f "`dirname "$0"`")"

echo
echo ===================================
date
echo ===================================

echo CONFIGURING LOGGING
rule='-m limit --limit 10/min -j LOG --log-prefix IPTables-Drop: --log-level 7'
iptables -N LOGGING 2>/dev/null
( /sbin/iptables -C LOGGING $rule   2>&1>/dev/null || /sbin/iptables -I LOGGING 1 $rule )
( /sbin/iptables -C LOGGING -j DROP 2>&1>/dev/null || /sbin/iptables -I LOGGING 2 -j DROP )

echo ***Downloading blocklist/banlist files from the Internet
wget -qO- https://www.binarydefense.com/banlist.txt                         | grep -P '^\d+\.\d+\.\d+\.\d+' > binarydefense
wget -qO- https://check.torproject.org/torbulkexitlist                      | grep -P '^\d+\.\d+\.\d+\.\d+' > torbulkexitlist
wget -qO- https://talosintelligence.com/documents/ip-blacklist              | grep -P '^\d+\.\d+\.\d+\.\d+' > talosintel
wget -qO- https://iplists.firehol.org/files/firehol_level1.netset           | grep -P '^\d+\.\d+\.\d+\.\d+' > firehol
wget -qO- https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt | grep -P '^\d+\.\d+\.\d+\.\d+' | awk '{print $1}' > stamparm

echo Cycling through blocklists/banlists
for blocklist in firehol stamparm binarydefense talosintel torbulkexitlist
do
	echo $blocklist

	echo - Test and make sure $blocklist download worked
	grep -qP '^\d+\.\d+\.\d+\.\d+' $blocklist || continue
	# Exclude CIDR networks
	# grep -qP '^\d+\.\d+\.\d+\.\d+$' $blocklist || continue

	echo - Create the $blocklist and block_new ipsets
	/sbin/ipset destroy block_new                         2>/dev/null
	/sbin/ipset create $blocklist hash:net maxelem 300000 2>/dev/null
	echo "create block_new hash:net family inet maxelem 300000" > block_new

	echo - Either the iptables rule exists OR we create it
	rule="-m set --match-set $blocklist src -j LOGGING"
	( /sbin/iptables -C INPUT $rule 2>&1>/dev/null || /sbin/iptables -I INPUT 1 $rule )


	echo - Add all our IPs to block_new temporary ipset
	for ip in `grep -vP '^169\.254\.0\.0|^0\.0\.0\.0|^10\.0\.0\.0|^172\.16\.0\.0|^192\.168\.0\.0|^127\.0\.0\.0' $blocklist | sort | uniq`
	do
		echo "add block_new $ip -!"
	done >> block_new

	echo - Load block_new file to ipset
	cat block_new | ipset restore

	echo - Swap $blocklist with block_new and delete block_new
	/sbin/ipset swap $blocklist block_new; sleep 1
	/sbin/ipset destroy block_new
done