#!/bin/sh
################################################################################
# The blacklist script performs the following:                                 #
#    1. Create a blacklist ipset hash list to dynamically store ip addresses   #
#       to block for five minutes                                              #
#    2. Execute an infinite loop to monitor the iptables configurations to     #
#       ensure the blacklist rules exist and add them if not                   #
################################################################################

/sbin/ipset restore < /etc/ipset.conf                                  # create the blacklist hash list within ipset
while true; do
        exists1=$(/usr/sbin/iptables -L BLACKLIST_REJECT 2>/dev/null)  # determine if BLACKLIST_REJECT chain exists
        exists2=$(/usr/sbin/iptables -w -L INPUT -v | grep BLACKLIST_REJECT) # determine if BLACKLIST_REJECT rule exists in INPUT chain
        if [ -n "$exists1" ] && [ -z "$exists2" ]; then                # if not exist, add BLACKLIST_REJECT rule to INPUT chain
                /usr/sbin/iptables -I INPUT 1 -m set --match-set blacklist src -j BLACKLIST_REJECT
        fi
        exists2=$(/usr/sbin/iptables -w -L OUTPUT -v| grep blacklist)  # if not exist, add BLACKLIST_REJECT rule to OUTPUT chain
        if [ -n "$exists1" ] && [ -z "$exists2" ]; then
                /usr/sbin/iptables -I OUTPUT 1 -m set --match-set blacklist dst -j REJECT
        fi
        sleep 5
done