ipset-country

#!/bin/sh
# ipset-country (v20200927)
# =========================

# Block or allow countries using iptables, ipset and ipdeny.com
# Also works with ipverse.com and other providers

# INSTALLATION:
# -------------

# - Setup firewall if you have not done so yet, at least INPUT chain is needed
# - Run this script from cron, e.g. /etc/cron.daily
# - To run on boot you can also add it to e.g. /etc/rc.local or systemd
# - Use argument "force" to load unchanged zonefiles instead of skipping

# NOTE: This script will insert an iptables REJECT or DROP rule for ipset,
# make sure you do not lock yourself out in case of issues on a remote system

# CONFIGURATION:
# --------------

# OS: "auto", "manual", "debian", "suse" or "redhat" (default is auto)
# Manual example: confdir="/etc/iptables", rulesfile="${confdir}/myrules"

DISTRO="auto"

# Specify countries to block as 'ISOCODE,Name' (same as ipdeny.com)
# Multiple entries should be seperated by semicolon
# Example: "CN,China; US,United States; RU,Russia"

COUNTRY="CN,China; RU,Russia"

# ---[ FIREWALLS AND OPTIONS  ]-------------------------------------------------
# Iptables and ipset are used by default to create the chains, rules and ipsets
# Firewalld can be enabled to use firewalld-cmd frontend
# UFW is an unsupported and untested frontend, but might work
# Nftables can be used with firewalld, default is to use iptables-legacy
# Blacklist: block specified Countries, set MODE to "reject" or "drop"
# Whitelist: allow specified Countries and block all others, set "accept"

# Iptables
MODE="reject" # Set target to use when ip matches country [accept|drop|reject]
RESTORE=0     # Run iptables-restore first, before adding rules [0/1]
LOGIPS=1      # Create logips chain to log matches [0/1]

# FirewallD
FIREWALLD=0       # Use firewalld instead [0/1]
FIREWALLD_MODE=0  # Set 0 for default Blacklist (drop), or 1 to Whitelist [0/1]
FIREWALLD_RH8=0   # Enable firewalld on CentOS/RHEL 8, at your own risk [0/1]

# UFW
UFW=0 # Set to 1 to use iptables besides ufw, at your own risk [0/1]

# ---[ BLOCK LIST PROVIDERS ]---------------------------------------------------
# IPdeny: "http://www.ipdeny.com/ipblocks/data/aggregated" (aggregated ipv4)
#         "http://www.ipdeny.com/ipv6/ipaddresses/blocks" (ipv6)
#         "http://www.ipdeny.com/ipblocks/data/countries" (full ipv4)
# IPverse: "http://ipverse.net/ipblocks/data/countries"
# Others: should work if they offer (iso) country zonefiles with CIDR's
# Notes: - the "aggregated" zonefiles are smaller in size
#        - ipdeny has no md5sums for aggregated ipv6 zonefiles
#        - ipverse does not offer md5sums at all (this autosets MD5CHECK=0)
# comment ipdeny lines and uncomment line below to use ipverse instead:
# IPBLOCK_URL="http://ipverse.net/ipblocks/data/countries"

IPBLOCK_URL_V4="http://www.ipdeny.com/ipblocks/data/aggregated"
IPBLOCK_URL_V6="http://www.ipdeny.com/ipv6/ipaddresses/blocks"
IPV4=1      # Use ipv4, ipv6 or both
IPV6=0      # For ipv6 also set IPBLOCK_URL_V6 [0/1]
MD5CHECK=1  # Check zonefile md5sums [0/1]
FORCE=0     # Run even if zonefile is unchanged [0/1]
            # same as running './ipset-country force'
FLUSH=0     # Flush ipset before adding zonefile [0/1]
            # this will take care of removed ranges

# Log to file, or to disable logging use: "/dev/null 2>&1"
LOG="/var/log/ipset-country.log"
# Level, see below and man syslog [0-7]
# ( 0=emerg 1=alert crit=2 3=err 4=warning 5=notice 6=info 7=debug )
LOGLVL=6

# END OF CONFIG
# -------------

# Commands and script variables
# ipset cmds  : ipset list | test setname <ip> | flush | destroy
# rc ipset    : ips_a = ipset add, ips_c = create, ips_f = protocol family
# rc iptables : ipt_i = insert rule, ipt_t = rule target, ipt_n = new chain
#               ipt_l = log rule, ipt_r = restore
# executables : ipt = ipt{,6}tables, iptrestore = ip{,6}tables-restore
#               iptsave = ip{,6}tables-save

scriptname="$( basename "$0" )"
basefile="$(basename -s '.sh' "$0")"

# arg '-c' config file
SAVE_IFS="$IFS"
IFS='|'; c=0
for i in "$@"; do
  if printf -- "%s" "$i" | grep -Eq -- "\-c"; then
    c=1
    continue
  else
    if [ "$c" -eq 1 ]; then
      if printf -- "%s" "$i" | grep -Eq -- "\-"; then
        echo "Error: config file not specfied, try \"$scriptname -h\""
        exit 1
      fi
      scriptconf="$i"
      if [ ! -s "$scriptconf" ]; then
        echo "Error: invalid config file \"$scriptconf\" specified"
        exit 1
      fi
      break
    fi
  fi
done
IFS="$SAVE_IFS"
# if scriptconf is empty, check for {/usr/local,}/etc/ipset-country.conf and in same dir as script
if [ -z "$scriptconf" ]; then
  sc="$(dirname "$0")/${basefile}.conf"
  for i in "/usr/local/etc/ipset-country.conf" "/etc/ipset-country.conf" "$sc"; do
    if [ -e "$i" ]; then
      scriptconf="$i"
      break
    fi
  done
fi
unset i
# make sure we dont source ourselves
if [ "$scriptconf" = "$0" ]; then
  echo "Error: invalid config file \"$scriptconf\" specified"
  exit 1
fi
# source scriptconf if its non empty, else exit
if [ -n "$scriptconf" ] && [ -s "$scriptconf" ]; then
  # shellcheck source=/usr/local/etc/ipset-country.conf
  . "$scriptconf" || { echo "Error: could not load $scriptconf"; exit 1; }
fi

iptr_run=0
ip6r_run=0
logips_run=0
logip6_run=0

nl='
'
SAVE_LOG="$LOG"

func_msg() {
  msg="$*"; eol="$nl"; tee=0
  if echo "$msg" | grep -q '^m:'; then
    # shellcheck disable=SC2048
    for i in $*; do
      # set output "mode"
      case $i in
        m:logfile) LOG="$SAVE_LOG" ;;
        m:stdout) tee=0; LOG="/dev/stdout";  ;;
        m:tee) tee=1 ;;
        m:nonl) eol=" " ;;
      esac
    done
    msg="$( echo "$msg" | sed -E 's/m:(nonl|stdout|tee) //g' )"
  fi
  if [ "$tee" -eq 1 ]; then
    printf "%s %s%s" "$( date +%F\ %T )" "$msg" "$eol" | tee -a "$LOG"
  else
    printf "%s %s%s" "$( date +%F\ %T )" "$msg" "$eol" >> $LOG
  fi
}

func_dist_auto() {
  if [ -s /etc/os-release ]; then
    if grep -iq "debian\\|ubuntu" /etc/os-release; then DISTRO="debian"
    elif grep -iq "centos\\|fedora\\|rhel" /etc/os-release; then DISTRO="redhat"
    elif grep -iq "suse" /etc/os-release; then DISTRO="suse"
    fi
  else
    [ -s /etc/debian_version ] && DISTRO="debian"
    [ -s /etc/redhat-release ] && DISTRO="redhat"
    [ -s /etc/SuSE-release ] && DISTRO="suse"
  fi
}

# set iptables and other vars
func_vars() {
  confdir="/etc"
  if [ "$proto" = "ipv6" ]; then
    ipt="ip6"
    ips_f="inet6"
    rj="icmp6-port-unreachable"
    case $DISTRO in
      debian)
        rulesfile="/etc/ip6tables.up.rules"
        [ -d "/etc/iptables" ] && confdir="/etc/iptables"
        [ -f "${confdir}/rules.v6" ] && rulesfile="${confdir}/rules.v6"
        ;;
      redhat|suse)
        confdir="/etc/sysconfig"
        rulesfile="${confdir}/ip6tables"
        ;;
    esac
  else
    ipt="ip"
    ips_f="inet"
    rj="icmp-port-unreachable"
    case $DISTRO in
      debian)
          rulesfile="/etc/iptables.up.rules"
          [ -d "/etc/iptables" ] && confdir="/etc/iptables"
          [ -f "${confdir}/rules.v4" ] && rulesfile="${confdir}/rules.v4"
          ;;
      redhat|suse)
          confdir="/etc/sysconfig"
          rulesfile="${confdir}/iptables"
          ;;
    esac
  fi
  if [ -x "/usr/sbin/${ipt}tables-legacy" ]; then
    iptables="/usr/sbin/${ipt}tables-legacy"
    iptrestore="/usr/sbin/${ipt}tables-legacy-restore"
    iptsave="/usr/sbin/${ipt}tables-legacy-save"
  else
    iptables="/sbin/${ipt}tables"
    iptrestore="/sbin/${ipt}tables-restore"
    iptsave="/sbin/${ipt}tables-save"
  fi
  if [ "$DISTRO" = "suse" ] ; then
    iptables="/usr${iptables}"
    iptrestore="/usr${iptrestore}"
    iptsave="/usr${iptsave}"
  fi
  if [ "$FIREWALLD" -eq 1 ]; then
    frontend="firewalld"
    if [ "$DISTRO" = "redhat" ] && [ "$FIREWALLD_RH8" -ne 1 ]; then
      if grep -Eiq "red hat enterprise linux 8.0|centos linux 8" /etc/os-release; then
        echo
        echo "WARNING: There are issues with firewalld on CentOS/RHEL 8 which can cause"
        echo "         your firewall to break resulting in being locked out."
        echo "         Adding large ipsets apparently can takes a VERY long time. To abort you need"
        echo "         remote console access and run 'pkill firewal-cmd; nft flush ruleset'"
        echo "         Set FIREWALLD_RH8=1 to disable this message"
        echo
        printf "Press any key to quit or 'Y' then [ENTER] to continue "
        read -r a
        if ! echo "$a" | grep -iq y; then exit 1; fi
        FIREWALLD_RH8=1
        func_msg m:stdout "continuing..."
      fi
    fi
  else
    frontend="${ipt}tables"
    if [ "$RESTORE" -eq 1 ] && [ ! -f "$rulesfile" ]; then
      func_msg m:stdout "could not find iptables rules file \"${rulesfile}\""
      exit 1
    fi
  fi
}

# download zonefile and get md5sum if enabled
func_zf() {
  zonefile="${ctyiso}.zone"
  if echo "$url" | grep -iq "ipdeny\.com"; then
    if echo "$url" | grep -q "aggregated"; then
      zonefile="${ctyiso}-aggregated.zone"
      if [ "$proto" = "ipv6" ]; then
        MD5CHECK=0
      fi
    fi
  fi
  zoneurl="$zonefile"
  if echo "$url" | grep -iq "ipverse\.net"; then
    MD5CHECK=0
    if [ "$proto" = "ipv6" ]; then
      zoneurl="${ctyiso}-ipv6.zone"
    fi
  fi
  $getfile "/tmp/${proto}-${zonefile}.$$" "${url}/${zoneurl}"
  # check downloaded zonefile against MD5SUM
  if [ "$MD5CHECK" -eq 1 ]; then
    md5src="$( $getfile - "$url/MD5SUM" | grep "$zonefile" | cut -d" " -f 1 )"
  fi
  # check if zonefile is the same as current
  md5chk="$( md5sum "/tmp/${proto}-${zonefile}.$$" | cut -d" " -f 1 )"
  if [ -f "${confdir}/${proto}-${zonefile}" ]; then
    md5cur="$( md5sum "${confdir}/${proto}-${zonefile}" 2>/dev/null | cut -d" " -f 1 )"
    if [ -z "$md5cur" ] || [ "$md5cur" = "" ]; then
       zf="NOK: md5"
    fi
  fi
  if [ "$md5cur" != "$md5chk" ]; then
    mv "/tmp/${proto}-${zonefile}.$$" "${confdir}/${proto}-${zonefile}" && \
      zf="OK" || zf="NOK"
  else
    if [ "$FORCE" -ne 1 ]; then zf="SKIP"; else zf="FORCE"; fi
  fi
  func_msg "zonefile: get \"${proto}-${zonefile}\" - $zf"
}

# restore iptables, once
func_ipt_res() {
  if { [ "$proto" = "ipv4" ] && [ "$iptr_run" -ne 1 ]; } ||
     { [ "$proto" = "ipv6" ] && [ "$ip6r_run" -ne 1 ]; }
  then
    $iptrestore < "$rulesfile" && ipt_r="OK" || ipt_r="NOK"
    func_msg "$frontend: restore - $ipt_r"
    [ "$proto" = "ipv4" ] && iptr_run=1
    [ "$proto" = "ipv6" ] && ip6r_run=1
  fi
}

# check if logips chain and rules already exist, else create them - once
func_ipt_log() {
  ipt_q=0
  if { [ "$proto" = "ipv4" ] && [ "$logips_run" -ne 1 ]; } ||
     { [ "$proto" = "ipv6" ] && [ "$logip6_run" -ne 1 ]; }
  then
    if ! $iptsave | grep -q "LOGIPS"; then
      $iptables -N LOGIPS && ipt_n="OK" || ipt_n="NOK"
    else
      ipt_n="already exists"
    fi
    if ! $iptsave | grep -q "LOGIPS.*LOG"; then
      $iptables -A LOGIPS -m limit --limit 10/min -j LOG --log-prefix "IPS: " --log-level $LOGLVL && \
        ipt_l="OK" || ipt_l="NOK"
    else
      ipt_l="already exists"
    fi
    case "$MODE" in
      accept)
        if ! $iptsave | grep -q "LOGIPS.*REJECT"; then
          if ! $iptsave | grep -q "LOGIPS.*DROP"; then
            if ! $iptsave | grep -q "LOGIPS.*ACCEPT"; then
              $iptables -A LOGIPS -j ACCEPT && ipt_t="OK" || ipt_t="NOK"
            else ipt_t="ACCEPT already exists"; fi
          else ipt_t="DROP already exists, remove it first"; ipt_q=1; fi
        else ipt_t="REJECT already exists, remove it first"; ipt_q=1; fi
      ;;
      drop)
        if ! $iptsave | grep -q "LOGIPS.*REJECT"; then
          if ! $iptsave | grep -q "LOGIPS.*DROP"; then
            $iptables -A LOGIPS -j DROP && ipt_t="OK" || ipt_t="NOK"
          else ipt_t="DROP already exists"; fi
        else ipt_t="REJECT already exists, remove it first"; ipt_q=1; fi
      ;;
      reject|*)
        if ! $iptsave | grep -q "LOGIPS.*DROP"; then
          if ! $iptsave | grep -q "LOGIPS.*REJECT"; then
            $iptables -A LOGIPS -j REJECT --reject-with "$rj" && ipt_t="OK" || ipt_t="NOK"
          else ipt_t="REJECT already exists"; fi
        else ipt_t="DROP already exists, remove it first"; ipt_q=1; fi
      ;;
    esac
    func_msg "$frontend: create log chain - $ipt_n"
    func_msg "$frontend: append log rule - $ipt_l"
    func_msg "$frontend: append $MODE rule - $ipt_t"
    [ "$ipt_q" -ne 0 ] && { func_msg m:stdout "exiting..."; exit 1; }
    [ "$proto" = "ipv4" ] && logips_run=1
    [ "$proto" = "ipv6" ] && logip6_run=1
  fi
}

# add ipset deny rule at last line in input chain or line number 1
func_ipt_deny() {
  rulenum=$(( $(${iptables} -S INPUT 2>/dev/null|wc -l) - 1 )) || rulenum=1
  # alternative method, slower:
  # rulenum="$(( $(${iptables} -L INPUT --line-numbers | tail -1 | awk '{print $1}') - 1 ))"
  [ "$rulenum" -eq 0 ] && rulenum=1
  if $iptsave | grep -q "match-set.*${proto}-${ctyname}.*LOGIPS"; then
    ipt_i="already exists"
  else
    $iptables -I INPUT "$rulenum" -p tcp -m set --match-set "${proto}-${ctyname}" src -j LOGIPS && \
      ipt_i="OK" || ipt_i="NOK"
  fi
  # if logips chain does not exist - because logips=0 or previous cmds failed - insert ipset block rule
  if ! $iptsave | grep -q "\\-A LOGIPS" || test $LOGIPS -eq 0; then
    if [ "$MODE" = "reject" ]; then
      # also check if ipset rule doesnt exist
      if $iptsave | grep -q "match-set.*${proto}-${ctyname}.*REJECT"; then
        ipt_i="already exists"
      else
        $iptables -I INPUT "$rulenum" -p tcp -m set --match-set "${proto}-${ctyname}" src -j REJECT --reject-with "$rj" && \
          ipt_i="OK" || ipt_i="NOK"
      fi
    elif [ "$MODE" = "drop" ]; then
      if $iptsave | grep -q "match-set.*${proto}-${ctyname}.*DROP"; then
        ipt_i="already exists"
      else
        $iptables -I INPUT "$rulenum" -p tcp -m set --match-set "${proto}-${ctyname}" src -j DROP && \
          ipt_i="OK" || ipt_i="NOK"
      fi
    fi
  fi
  func_msg "$frontend: insert ipset deny rule - $ipt_i"
}

# add ipset allow rule
func_ipt_allow() {
  rulenum=1
  if $iptsave | grep -q "match-set.*${proto}-${ctyname}.*LOGIPS"; then
    ipt_i="already exists"
  else
    $iptables -I INPUT "$rulenum" -p tcp -m set --match-set "${proto}-${ctyname}" src -j LOGIPS && \
      ipt_i="OK" || ipt_i="NOK"
  fi
  # if logips chain does not exist - because logips=0 or previous cmds failed - insert ipset block rule
  if ! $iptsave | grep -q "\\-A LOGIPS" || test $LOGIPS -eq 0; then
    if $iptsave | grep -q "match-set.*${proto}-${ctyname}.*ACCEPT"; then
      ipt_i="already exists"
    else
      $iptables -I INPUT "$rulenum" -p tcp -m set --match-set "${proto}-${ctyname}" src -j ACCEPT && \
        ipt_i="OK" || ipt_i="NOK"
    fi
  fi
  func_msg "$frontend: insert ipset allow rule - $ipt_i"
}

# create ipset using type hash
func_ips_create() {
  { ipset list -terse "${proto}-${ctyname}" >/dev/null 2>&1 || ipset create "${proto}-${ctyname}" hash:net family ${ips_f}; } && \
    ips_c="OK" || ips_c="NOK"
  func_msg "ipset: create set \"${proto}-$ctyname\" - $ips_c"
}

# add blocks to ipset
func_ips_add() {
  [ "$FLUSH" -eq 1 ] && ipset flush "${proto}-${ctyname}"
  i=0; while read -r cidr; do
    ipset -A -exist -quiet "${proto}-${ctyname}" "$cidr" && i=$((i+1)) || echo "NOK: \"${proto}-${ctyname}\" - $i - $cidr"
  done < "${confdir}/${proto}-${zonefile}" >/dev/null 2>&1 && ips_a="OK" || ips_a="NOK"
  [ "$i" -eq 0 ] && ips_a="NOK"
  func_msg "ipset: add \"${proto}-${zonefile}\" to \"${proto}-${ctyname}\" - $ips_a - $i entries"
}

func_firewalld_ips() {
  if ! $firewallcmd --get-ipsets | grep -q "${proto}-${ctyname}"; then
    func_msg m:nonl "$frontend: new ipset \"${proto}-${ctyname}\" -"
    $firewallcmd --permanent --new-ipset="${proto}-${ctyname}" --type=hash:net --option=family="${ips_f}" >>"$LOG" 2>&1
  fi
  func_msg m:nonl "$frontend: add to ipset -"
  $firewallcmd --permanent --ipset="${proto}-${ctyname}" --add-entries-from-file="${confdir}/${proto}-${zonefile}" >>"$LOG" 2>&1 && { \
    i="$( ipset -terse list "${proto}-${ctyname}" | awk 'END { print $NF }' )"
    func_msg "ipset: add \"${proto}-${zonefile}\" to \"${proto}-${ctyname}\" - $i entries"
  }
}

func_firewalld_drop() {
  if ! $firewallcmd --zone=drop --list-sources | grep -q "${proto}-${ctyname}"; then
    func_msg m:nonl m:tee "$frontend: add source to drop zone -"
    { $firewallcmd --permanent --zone=drop --add-source="ipset:${proto}-${ctyname}" && echo; } >>"$LOG" 2>&1
  fi
}

func_firewalld_public() {
  if ! $firewallcmd --zone=public --list-sources | grep -q "${proto}-${ctyname}"; then
    func_msg m:nonl m:tee "$frontend: add source to public zone -"
    { $firewallcmd --permanent --zone=public --add-source="ipset:${proto}-${ctyname}" && echo; } >>"$LOG" 2>&1
  fi
}

# arg "-i" installs systemd service
if printf -- "%s" "$*" | grep -Eq -- "\-i"; then
  if [ ! -d /run/systemd/system ]; then
    echo "ERROR: systemd not found"
    exit 1
  fi
  if [ -e /lib/systemd/system/ipset-country.service ]; then
    echo "ERROR: systemd service already exists"
    exit 1
  fi
  cat <<-_EOF_ > /lib/systemd/system/ipset-country.service
[Unit]
Description=ipset-country

[Service]
Type=oneshot
ExecStart=$(dirname "$(readlink -f "$0")")/$scriptname
StandardError=file:/var/log/ipset-country.err
RemainAfterExit=true

[Install]
WantedBy=multi-user.target
_EOF_
  cat <<-_EOF_ > /lib/systemd/system/ipset-country.timer
Description=ipset-country daily timer

[Timer]
OnBootSec=2min
OnCalendar=daily

[Install]
WantedBy=timers.target
_EOF_
  # shellcheck disable=SC2015
  systemctl daemon-reload && \
  systemctl enable --now ipset-country.timer || \
    { echo "ERROR: could not start systemd timer"; exit 1; }
  echo "Systemd service and timer 'ipset-country' installed"
  exit
fi

# arg "-u" uninstalls systemd service
if printf -- "%s" "$*" | grep -Eq -- "\-u"; then
  systemctl stop ipset-country
  systemctl stop ipset-country.timer
  systemctl disable ipset-country
  systemctl disable ipset-country.timer
  rm /lib/systemd/system/ipset-country.service
  rm /lib/systemd/system/ipset-country.timer
  systemctl daemon-reload
  systemctl reset-failed
  exit
fi

# preflight checks

if printf -- "%s" "$*" | grep -Eq -- "\-h|help"; then
  echo""
  echo "./$scriptname [-c </path/to/conf>|-i|-u|-f]"
  echo
  echo "  -c  specify config file"
  echo "  -i  install systemd service and timer"
  echo "  -u  uninstall from systemd"
  echo "  -f  force loading unchanged zonefiles"
  echo
  echo "See comments in script and README.md for details"
  echo
  exit 0
fi
if [ "$( id -u )" -ne 0 ]; then
  echo "Script \"$scriptname\" needs root to run"
  exit 1
fi
if [ "$UFW" -ne 1 ]; then
  # shellcheck disable=SC2230
  if which ufw >/dev/null 2>&1; then
    if ufw status | grep -q "Status: active"; then
      echo "UFW is not supported, disable it first (or set UFW=1)"
      exit 1
    fi
  fi
fi
if printf -- "%s" "$*" | grep -Eiq -- "\-f|force"; then
  FORCE=1
fi
if [ ! -w "$( dirname "$LOG" )" ]; then
  echo "Log \"$LOG\" not writable, using \"/tmp/${basefile}.log\" instead"
  LOG="/tmp/${basefile}.log"
fi
if printf -- "%s" "$*" | grep -Eiq -- "debug"; then
  LOG=/dev/stdout
fi

[ "$DISTRO" = "auto" ] && func_dist_auto
func_vars

if [ "$FIREWALLD" -eq 1 ]; then
  # shellcheck disable=SC2230
  firewallcmd="$( which firewall-cmd 2>/dev/null )"
  test -x "$firewallcmd" && fwd_c="OK" || fwd_c="NOK - NOT FOUND"
  func_msg "$frontend: firewall-cmd - $fwd_c"
  if [ "$fwd_c" != "OK" ]; then
    func_msg m:stdout "try disabling option \"set FIREWALLD=0\", exiting..."
    exit 1
  fi
else
  if ! echo "$MODE" | grep -Eq "accept|drop|reject" ; then
    echo "invalid MODE setting"
    exit 1
  fi
  test -x "$iptables" && ipt_c="OK" || ipt_c="NOK - NOT FOUND"
  $iptables -n -L INPUT >/dev/null 2>&1 && ipt_p="OK" || ipt_p="OK"
  test -d "$confdir" && ipt_d="OK" || ipt_d="NOK - NOT FOUND"
  if [ "$ipt_c" != "OK" ] || [ "$ipt_p" != "OK" ];then
    func_msg m:tee "$frontend: $iptables ${ipt_c}, input chain: $ipt_p"
  fi
  if [ "$ipt_d" != "OK" ];then
    func_msg m:tee "$frontend: confdir $confdir - $ipt_d"
  fi
  if [ "$ipt_c" != "OK" ] || [ "$ipt_p" != "OK" ] || [ "$ipt_d" != "OK" ]; then
    func_msg m:tee "exiting..."
    exit 1
  fi
fi

# shellcheck disable=SC2230
ipset="$( which ipset 2>/dev/null )"
test -x "$ipset" && ips_e="OK" || ips_e="NOK - NOT FOUND"
if [ "$ips_e" != "OK" ]; then
  func_msg m:tee "ipset: $ips_e, exiting..."
  exit 1
fi

# shellcheck disable=SC2230
{ getfile=$( which wget 2>/dev/null ) && getfile="$getfile -q -O"; }
if [ -z "$getfile" ]; then
  func_msg m:stdout "curl or wget not found, exiting..."
  exit 1
fi
# shellcheck disable=SC2230
which md5sum >/dev/null 2>&1 || \
  { func_msg m:stdout "md5sum not found, exiting..."; exit 1; }

# main loop: handle country here
func_block_ip() {
  SAVE_IFS="$IFS"
  IFS=";"
  for cty in $COUNTRY; do
    cty="$( echo "$cty" | tr '[:upper:]' '[:lower:]' )"
    ctyiso="$( echo "$cty" | cut -d',' -f 1 | sed -r -e 's/(^ +| +$)//g' )"
    ctyname="$( echo "$cty" | cut -d',' -f 2 | sed -r -e 's/(^ +| +$)//g' -e 's/ /_/g' )"
    if [ "$ctyname" != "" ]; then
      IFS="$SAVE_IFS"
      for url in $1; do
        # if its an ipv6 zonefile url: change protocol
        if echo "$url" | grep -q "ipv6"; then
          proto="ipv6"
        fi
        func_vars
        func_zf
        if [ "$MD5CHECK" -eq 0 ] || [ "$md5src" = "$md5chk" ]; then
          if [ "$zf" != "SKIP" ]; then
            if [ "$FIREWALLD" -eq 1 ]; then
              func_firewalld_ips
              if [ "$FIREWALLD_MODE" -eq 1 ]; then
                # blacklist
                func_firewalld_public
              else
                # whitelist
                func_firewalld_drop
              fi
            else
              func_ips_create
              if [ "$RESTORE" -eq 1 ]; then
                func_ipt_res
              fi
              if [ "$LOGIPS" -eq 1 ] && [ "$FIREWALLD" -ne 1 ]; then
                func_ipt_log
              fi
              func_ips_add
              if [ "$MODE" = "accept" ]; then
                # whitelist
                func_ipt_allow
              else
                # blacklist
                func_ipt_deny
              fi
            fi
          fi
        else
          func_msg "zonefile: md5 \"${proto}-${zonefile}\" mismatch\""
        fi
      done
    else
      func_msg m:stdout "incorrect country setting\""
    fi
    if [ -f "/tmp/${proto}-${zonefile}.$$" ]; then
      rm "/tmp/${proto}-${zonefile}.$$"
    fi
  done
}

if [ "$IPV4" -eq 1 ]; then
  proto="ipv4"
  if [ -z "$IPBLOCK_URL_V4" ]; then
    IPBLOCK_URL_V4="$IPBLOCK_URL"
  fi
  func_block_ip "$IPBLOCK_URL_V4"
fi

# ipv6 uses '/sbin/ip6tables'
if [ "$IPV6" -eq 1 ]; then
  proto="ipv6"
  if [ -z "$IPBLOCK_URL_V6" ]; then
    IPBLOCK_URL_V6="$IPBLOCK_URL"
  fi
  if [ -z "$IPBLOCK_URL_V6" ] && [ -z "$IPBLOCK_URL" ]; then
    IPBLOCK_URL_V6="$IPBLOCK_URL_V4"
  fi
  func_block_ip "$IPBLOCK_URL_V6"
fi

if [ "$FIREWALLD" -eq 1 ]; then
  func_msg m:nonl m:stdout "firewalld: reload -"
  $firewallcmd --reload >>"$LOG" 2>&1
fi
func_msg m:stdout "ipset-country: done"
IFS="$SAVE_IFS"