#!/bin/bash

#Script to add firewall rules to a linux system to completely block
#all traffic to and from networks in the spamhaus drop list.

#Copyright 2009, William Stearns, wstearns@pobox.com
#Released under the GPL.  This and other tools can be found at
#http://www.stearns.org/
#Modified by Sam Watkins, sam@ucm.dev

#Sole (optional) command line parameter is the file location of the
#drop list, such as:

cd /var/lib/
if [ $1 = "-u" ]; then
	rm -f drop.lasso edrop.lasso
	wget -q http://www.spamhaus.org/drop/drop.lasso
	wget -q http://www.spamhaus.org/drop/edrop.lasso
fi
# ./spamhaus-drop /var/lib/drop.lasso

#While the DROP file should be regularly updated, this should 
#probably be about once per day or less frequently; do _not_ 
#download DROP more than once an hour.

for DropList in drop.lasso edrop.lasso; do

# if [ -n "$1" ]; then
# 	DropList="$1"
# else
# 	DropList="./drop.lasso"
# fi
if [ ! -e "$DropList" ]; then
	echo "Unable to find drop list file $DropList .  Perhaps do:" >&2
	echo "wget http://www.spamhaus.org/drop/drop.lasso -O $DropList"
	echo "exiting." >&2
	exit 1
fi

if [ ! -x /sbin/iptables ]; then
	echo "Missing iptables command line tool, exiting." >&2
	exit 1
fi

iptables
cat "$DropList" \
 | sed -e 's/;.*//' \
 | grep -v '^ *$' \
 | while read OneNetBlock ; do
	/sbin/iptables -A INPUT -s "$OneNetBlock" -j DROP
	/sbin/iptables -A OUTPUT -d "$OneNetBlock" -j DROP
	/sbin/iptables -A FORWARD -s "$OneNetBlock" -j DROP
	/sbin/iptables -A FORWARD -d "$OneNetBlock" -j DROP
done

done