#!/usr/bin/env bash
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2020 - License: GNU GPLv3      ##
###########################################################################
# Downloads the FireHOL level 1 list and adds all networks to an IP set. ##
###########################################################################
## Possible firewall configuration:
## Delete all the old rules.
#I=`/sbin/iptables-save | grep -- "-A INPUT -j FIREHOL-LEVEL1"`
#O=`/sbin/iptables-save | grep -- "-A OUTPUT -j FIREHOL-LEVEL1"`
#if [ ! -z "$I" ] || [ ! -z "$O" ]; then
#    /sbin/iptables -F FIREHOL-LEVEL1
#    /sbin/iptables -X FIREHOL-LEVEL1
#fi
#if [ ! -z "$I" ]; then
#    /sbin/iptables -D INPUT -j FIREHOL-LEVEL1
#fi
#if [ ! -z "$O" ]; then
#    /sbin/iptables -D OUTPUT -j FIREHOL-LEVEL1
#fi
## Create the chain again and add all the new rules.
#/sbin/iptables -N FIREHOL-LEVEL1
#/sbin/iptables -I INPUT 1 -j FIREHOL-LEVEL1
#/sbin/iptables -I OUTPUT 1 -j FIREHOL-LEVEL1
#/sbin/iptables -A FIREHOL-LEVEL1 -p all -m set --match-set FIREHOL-LEVEL1 src,dst -j DROP
## Continue with the rest.
#/sbin/iptables -A FIREHOL-LEVEL1 -j RETURN
###########################################################################

# Cleanup routine to delete bogon and firehol list on termination.
trap '{

# Delete the temporary bogon and firehol lists.
for i in $BOGONS_LIST $FIREHOL_LIST; do
    if [ -f $i ]; then
        rm $i
    fi
done

}' KILL QUIT TERM EXIT INT HUP

# Delete current set.
`ipset list FIREHOL-LEVEL1 2>/dev/null >/dev/null`
if [ $? = 1 ]; then
    # Create the set.
    ipset create FIREHOL-LEVEL1 hash:net family inet
fi

# Flush the existing IPs.
ipset flush FIREHOL-LEVEL1

# Generate a list of private subnet IP addresses defined by
# RFC 1918, RFC 5735, and RFC 6598.
BOGONS_LIST=`mktemp`
cat > $BOGONS_LIST <<EOF
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/3
EOF

# Download the firehol netset level 1
FIREHOL_LIST=`mktemp`
# Force curl to fail for anything other than HTTP 200
curl -q -f -s 'https://iplists.firehol.org/files/firehol_level1.netset' > $FIREHOL_LIST 2>/dev/null
# Check that curl completed successfully and that the list is not empty.
if [ $? != 0 ] || [ -z $FIREHOL_LIST ]; then
    echo 'FireHOL Level 1 Netset list could not be downloaded.'
    exit
fi

# Filter the firehol netset through the bogon list and also filter out valid
# IP and net blocks. Add the results to the created IP set.
for net in `awk '{if (f==1) { r[$0] } else if (! ($0 in r)) { print $0 } } ' f=1 $BOGONS_LIST f=2 $FIREHOL_LIST | \
    egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/*[0-9]{0,2}'`; do
    ipset add FIREHOL-LEVEL1 $net
done