firewall iptables OVH por pais

firewall

#!/bin/bash

#authorized countries
ISO="es ma"

### PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep


### Folder to save ###
ZONEROOT="/tmp/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

# Create directory
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# Clean any rule
iptables -F
iptables -X
iptables -Z

# Default
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# SSH****
iptables -A INPUT -p tcp --dport 2225 -j ACCEPT

# Enable ping
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# ESTABLISHED
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Authorize the OVH servers
$IPT -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source aaa.bbb.ccc.250 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source aaa.bbb.ccc.251 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT

for c  in $ISO

do
        # local zone file
        tDB=$ZONEROOT/$c.zone

        # get fresh zone file
        $WGET -O $tDB $DLROOT/$c.zone

        # country specific log message
        BLACKDROPMSG="$c Country Accept"

        # get
        BADIPS=$(egrep -v "^#|^$" $tDB)
        for ipblock in $BADIPS
        do
           $IPT -A INPUT -s $ipblock -j ACCEPT
        done
done

$IPT -A INPUT -s 127.0.0.1 -j ACCEPT
$IPT -A INPUT -s 54.171.127.192/26 -j ACCEPT