[ZIMBRA] whitelist ip - fourslickz/notes GitHub Wiki

#!/bin/bash

### CONFIG ###
ID_URL="https://www.ipdeny.com/ipblocks/data/countries/id.zone"
ID_LIST="/etc/id.zone"

DIGITALOCEAN_NETWORKS=(
    "178.128.106.59/32"
    "128.199.251.208/32"
    "159.65.136.153/32"
    "139.59.107.53/32"
    "68.183.224.237/32"
)

### INSTALL PACKAGE ###
# yum install -y ipset ipset-service

### CREATE IPSET IF NOT EXISTS ###
ipset list indonesia &>/dev/null || ipset create indonesia hash:net
ipset list digitalocean &>/dev/null || ipset create digitalocean hash:net

### DOWNLOAD IP LIST ###
curl -s $ID_URL -o $ID_LIST

### FLUSH OLD DATA ###
ipset flush indonesia
ipset flush digitalocean

### LOAD INDONESIA ###
for ip in $(cat $ID_LIST); do
    ipset add indonesia $ip
done

### LOAD DIGITALOCEAN ###
for ip in "${DIGITALOCEAN_NETWORKS[@]}"; do
    ipset add digitalocean $ip
done

### CLEAR OLD IPTABLES RULES ###
# hapus rule sebelumnya supaya tidak duplikat
iptables -D INPUT -p tcp -m multiport --dports 25,465,587 -m set --match-set indonesia src -j ACCEPT 2>/dev/null
iptables -D INPUT -p tcp -m multiport --dports 25,465,587 -m set --match-set digitalocean src -j ACCEPT 2>/dev/null
iptables -D INPUT -p tcp -m multiport --dports 25,465,587 -j DROP 2>/dev/null

### SMTP RULES ###
# Allow Indonesia
iptables -I INPUT -p tcp -m multiport --dports 25,465,587 -m set --match-set indonesia src -j ACCEPT

# Allow Digitalocean
iptables -I INPUT -p tcp -m multiport --dports 25,465,587 -m set --match-set digitalocean src -j ACCEPT

# Drop all other SMTP
iptables -A INPUT -p tcp -m multiport --dports 25,465,587 -j DROP

### SAVE RULES ###
service iptables save
ipset save > /etc/sysconfig/ipset

echo "Whitelist SMTP Indonesia + Digitalocean updated!"