#
# Anti World Firewall
#
# I've seen many individuals searching for an IPTABLES ruleset similar to the one below. It is a very crude and
# unprofessional rule however, it accomplishes what one is looking for.

# This rule is based on the premise that the machine running the rule is running on a North American
# network. It works by taking an active look at all of the assigned address spaces and where they're allocated
# to and allows for blocking of those networks for a set of services.

# The optimal and correct way to defend would be to deny all connections and allow in whatever is necessary
# however, there are times when this practice may be difficult to implement.

# The rules below were configured for a public facing Voice Over IP based PBX system with teleworkers
# coming from anywhere in the United States. The theory was, at no point in time should anyone else
# be connecting from outside of the United States to that PBX. This accomplishes just that and allows
# for the administrator to avoid having to create a new instance everytime someone checks in to a random
# hotel and uses a softphone: "I can't make calls"...

# On the downside, any attacking device inside any North American system CAN connect. The attack
# vector is minimized to solely machines attacking within North America. Strong password schemes and
# vigilant monitoring can further mitigate against this.


# To implement the rules you could do the following:
# wget -qO - infiltrated.net/antitoll | sh | sh

# However, you should download the file and modify according to your needs.
# USE AT YOUR OWN RISK. Please be aware that if you are not familiar with firewalls/iptables, you
# run the risk of blocking yourself, clients, etc.



site=http://bgp.potaroo.net/ipv4-stats/allocated-

# NOTE: THERE ARE TWO SETS OF RULES FOR EACH PROTOCOL
# THE FIRST RULE IS TO LOG ATTEMPTS AND THE SECOND IS
# TO BLOCK THE ATTEMPT... UNSURE WHY SOMEONE WOULDN'T
# HAVE PROGRAMMED IPTABLES TO SIMPLY ALLOW FOR A RULE
# SUCH AS:

# iptables -p tcp -m multiport --dports 22,80 -j DROP --log 


wget -qO - "$site"apnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p udp -m multiport --dports 22,80,111,443,5060,5061 -j LOG --log-prefix \"APNIC Denied UDP \" --log-level 4"}'|grep -v "<\|IPv4"

wget -qO - "$site"apnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p udp -m multiport --dports 22,80,111,443,5060,5061 -j REJECT --reject-with icmp-proto-unreachable"}'|grep -v "<\|IPv4"

wget -qO - "$site"apnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 22,80,111,443,5060,5061 -j LOG --log-prefix \"APNIC Denied TCP\" --log-level 4"}'|grep -v "<\|IPv4"

wget -qO - "$site"apnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 22,80,111,443,5060,5061 -j REJECT --reject-with icmp-proto-unreachable"}'|grep -v "<\|IPv4"

wget -qO - "$site"ripe.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p udp -m multiport --dports 22,80,111,443,5060,5061 -j LOG --log-prefix \"RIPE Denied UDP\" --log-level 4"}'|grep -v "<\|IPv4"

wget -qO - "$site"ripe.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p udp -m multiport --dports 22,80,111,443,5060,5061 -j REJECT --reject-with icmp-proto-unreachable"}'|grep -v "<\|IPv4"

wget -qO - "$site"ripe.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 22,80,111,443,5060,5061 -j LOG --log-prefix \"RIPE Denied TCP\" --log-level 4"}'|grep -v "<\|IPv4"

wget -qO - "$site"ripe.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 22,80,111,443,5060,5061 -j REJECT --reject-with icmp-proto-unreachable"}'|grep -v "<\|IPv4"

wget -qO - "$site"lacnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p udp -m multiport --dports 22,80,111,443,5060,5061 -j LOG --log-prefix \"LACNIC Denied UDP\" --log-level 4"}'|grep -v "<\|IPv4"

wget -qO - "$site"lacnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p udp -m multiport --dports 22,80,111,443,5060,5061 -j REJECT --reject-with icmp-proto-unreachable"}'|grep -v "<\|IPv4"

wget -qO - "$site"lacnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 22,80,111,443,5060,5061 -j LOG --log-prefix \"LACNIC Denied TCP\" --log-level 4"}'|grep -v "<\|IPv4"

wget -qO - "$site"lacnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 22,80,111,443,5060,5061 -j REJECT --reject-with icmp-proto-unreachable"}'|grep -v "<\|IPv4"

wget -qO - "$site"afrinic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p udp -m multiport --dports 22,80,111,443,5060,5061 -j LOG --log-prefix \"AFRINIC Denied UDP\" --log-level 4"}'|grep -v "<\|IPv4"

wget -qO - "$site"afrinic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p udp -m multiport --dports 22,80,111,443,5060,5061 -j REJECT --reject-with icmp-proto-unreachable"}'|grep -v "<\|IPv4"

wget -qO - "$site"afrinic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 22,80,111,443,5060,5061 -j LOG --log-prefix \"AFRINIC Denied TCP\" --log-level 4"}'|grep -v "<\|IPv4"

wget -qO - "$site"afrinic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 22,80,111,443,5060,5061 -j REJECT --reject-with icmp-proto-unreachable"}'|grep -v "<\|IPv4"