#!/bin/bash
# Customized by CCNA HUB - Imad Daou

# Original Script: https://raw.githubusercontent.com/trick77/ipset-blacklist/master/update-blacklist.sh

# Fore more information about the Progress Bar: https://raw.githubusercontent.com/haikieu/shell-progressbar/master/progressbar.sh

function delay()
{
    sleep 0.2;
}
#
# Description : print out executing progress
#
CURRENT_PROGRESS=0
function progress()
{
    PARAM_PROGRESS=$1;
    PARAM_STATUS=$2;

    if [ $CURRENT_PROGRESS -le 0 -a $PARAM_PROGRESS -ge 0 ]  ; then echo -ne "\x1B[01;89m[.....................................................] (0%)  $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 5 -a $PARAM_PROGRESS -ge 5 ]  ; then echo -ne "\x1B[01;89m[###..................................................] (5%)  $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 10 -a $PARAM_PROGRESS -ge 10 ]; then echo -ne "\x1B[01;89m[######...............................................] (10%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 15 -a $PARAM_PROGRESS -ge 15 ]; then echo -ne "\x1B[01;89m[########.............................................] (15%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 20 -a $PARAM_PROGRESS -ge 20 ]; then echo -ne "\x1B[01;89m[###########..........................................] (20%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 25 -a $PARAM_PROGRESS -ge 25 ]; then echo -ne "\x1B[01;89m[#############........................................] (25%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 30 -a $PARAM_PROGRESS -ge 30 ]; then echo -ne "\x1B[01;89m[################.....................................] (30%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 35 -a $PARAM_PROGRESS -ge 35 ]; then echo -ne "\x1B[01;89m[###################..................................] (35%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 40 -a $PARAM_PROGRESS -ge 40 ]; then echo -ne "\x1B[01;89m[######################...............................] (40%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 45 -a $PARAM_PROGRESS -ge 45 ]; then echo -ne "\x1B[01;89m[########################.............................] (45%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 50 -a $PARAM_PROGRESS -ge 50 ]; then echo -ne "\x1B[01;89m[###########################..........................] (50%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 55 -a $PARAM_PROGRESS -ge 55 ]; then echo -ne "\x1B[01;89m[##############################.......................] (55%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 60 -a $PARAM_PROGRESS -ge 60 ]; then echo -ne "\x1B[01;89m[#################################....................] (60%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 65 -a $PARAM_PROGRESS -ge 65 ]; then echo -ne "\x1B[01;89m[####################################.................] (65%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 70 -a $PARAM_PROGRESS -ge 70 ]; then echo -ne "\x1B[01;89m[#######################################..............] (70%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 75 -a $PARAM_PROGRESS -ge 75 ]; then echo -ne "\x1B[01;89m[##########################################...........] (75%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 80 -a $PARAM_PROGRESS -ge 80 ]; then echo -ne "\x1B[01;89m[##############################################.......] (80%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 85 -a $PARAM_PROGRESS -ge 85 ]; then echo -ne "\x1B[01;89m[##################################################...] (90%) $PARAM_PHASE \r\x1B[0m"  ; delay; fi;
    if [ $CURRENT_PROGRESS -le 90 -a $PARAM_PROGRESS -ge 90 ]; then echo -ne "\x1B[01;89m[#####################################################] (100%) $PARAM_PHASE \r\x1B[0m" ; delay; fi;
    if [ $CURRENT_PROGRESS -le 100 -a $PARAM_PROGRESS -ge 100 ];then echo -ne '\x1B[01;92m Done! "[#####################################################] (100%) \x1B[0m \n' ; delay; fi;

    CURRENT_PROGRESS=$PARAM_PROGRESS;

}

echo
echo -e "\x1B[01;93m####                                                              ####\x1B[0m"
echo -e "\x1B[01;92m#    Preparing IPSET Whitelist Loader Script for IPtables Firewall   #\x1B[0m"
echo -e "\x1B[01;93m####                                                              ####\x1B[0m"
echo
echo -e "\x1B[01;93m----------------------------------------------------------\x1B[0m"
echo -e "\x1B[01;92m Preparing Multi Whitelists into one file...Please wait...\x1B[0m"
echo -e "\x1B[01;93m----------------------------------------------------------\x1B[0m"
echo
sleep 5
IP_WHITELIST_DIR=/etc/network/iptables/ipset-whitelist
IPSET_WHITELIST_NAME=IPSET-WHITELIST # change it if it collides with a pre-existing ipset list
IPSET_TMP_WHITELIST_NAME=${IPSET_WHITELIST_NAME}-tmp
IP_WHITELIST_RESTORE=${IP_WHITELIST_DIR}/ip-whitelist.restore
IP_WHITELIST=${IP_WHITELIST_DIR}/ip-whitelist.list
IP_WHITELIST_CUSTOM=${IP_WHITELIST_DIR}/ip-whitelist-custom.list # optional, for your personal nemeses (no typo, plural)
HASHSIZE=65536 # the initial hash size for the set. Don't touch unless you know what you're doing.
MAXELEM=1000000 # the maximal number of elements which can be stored in the set
progress 20 "Processing..."
# List of URLs for IP Whitelists. Currently, only IPv4 is supported in this script, everything else will be filtered.
WHITELIST=(
"https://www.cloudflare.com/ips-v4" # Cloudflare IP addresses and networks
"https://my.pingdom.com/probes/ipv4" # Pingdom IP Addresses and Networks
"https://www.maxcdn.com/one/assets/ips.txt" # MAXCDN IP Addresses and Networks
"https://ip-ranges.amazonaws.com/ip-ranges.json" # AWS Cloudfront Edge IP Addresses and Networks
"https://s3.amazonaws.com/nr-synthetics-assets/nat-ip-dnsname/production/ip.json" # New Relic Monitoring service IPs
)
progress 40 "Processing..."
################################################################################################################################

#for command in ipset iptables egrep grep curl sort uniq wc
#do
#    if ! which $command > /dev/null; then
#        echo "Error: please install $command"
#        exit 1
#    fi
#done

if [ ! -d $IP_WHITELIST_DIR ]; then
    echo "Error: please create $IP_WHITELIST_DIR directory"
    exit 1
fi

if [ -f /etc/network/iptables/ipset-whitelist/ip-whitelist.conf ]; then
    echo "Error: please remove /etc/network/iptables/ipset-white/ip-whitelist.conf"
    exit 1
fi

if [ -f /etc/network/iptables/ipset-whitelist/ip-whitelist-custom.conf ]; then
    echo "Error: please move /etc/network/iptables/ipset-whitelist/ip-whitelist-custom.conf to the $IP_WHITELIST_DIR directory and rename it to $IP_WHITELIST_CUSTOM"
    exit 1
fi
progress 60 "Processing..."
IP_WHITELIST_TMP=$(mktemp)
for i in "${WHITELIST[@]}"
do
    IP_TMP=$(mktemp)
    HTTP_RC=`curl --connect-timeout 10 --max-time 10 -o $IP_TMP -s -w "%{http_code}" "$i"`
    if [ $HTTP_RC -eq 200 -o $HTTP_RC -eq 302 ]; then
        grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_WHITELIST_TMP
#	echo -n "!"
	else
        echo -e "\nWarning: curl returned HTTP response code $HTTP_RC for URL $i"
    fi
    rm $IP_TMP
done
progress 80 "Processing..."
progress 100 "Done        "
sleep 2
echo
sort $IP_WHITELIST_TMP -n | uniq | sed -e '/^127.0.0.0\|127.0.0.1\|0.0.0.0/d'  > $IP_WHITELIST
awk '/^[0-9]/{for(i=1;i<=NF;i++)if(a[$i]++==1) print "\x1B[01;93m Duplicate IP : \x1B[0m",$i;}' $IP_WHITELIST
rm $IP_WHITELIST_TMP
echo -e "\x1B[01;93m Number of Online Whitelist IP/Networks found:\x1B[0m" "\x1B[01;89m `wc -l $IP_WHITELIST | cut -d' ' -f1` \x1B[0m"
echo "create $IPSET_TMP_WHITELIST_NAME -exist hash:net family inet hashsize $HASHSIZE maxelem $MAXELEM" > $IP_WHITELIST_RESTORE
echo "create $IPSET_WHITELIST_NAME -exist hash:net family inet hashsize $HASHSIZE maxelem $MAXELEM" >> $IP_WHITELIST_RESTORE

egrep -v "^#|^$" $IP_WHITELIST | while IFS= read -r ip
do
    echo "add $IPSET_TMP_WHITELIST_NAME $ip" >> $IP_WHITELIST_RESTORE
done
if [ -f $IP_WHITELIST_CUSTOM ]; then
    egrep -v "^#|^$" $IP_WHITELIST_CUSTOM | while IFS= read -r ip
    do
        echo "add $IPSET_TMP_WHITELIST_NAME $ip" >> $IP_WHITELIST_RESTORE
    done
	echo
	echo -e "\x1B[01;93m Number of Local Custom Admin Whitelist IP/Networks found:\x1B[0m" "\x1B[01;89m `wc -l $IP_WHITELIST_CUSTOM | cut -d' ' -f1` \x1B[0m"
fi
echo
echo -e "\x1B[01;92m #############################################################################################\x1B[0m"
echo -e "\x1B[01;92m #                                                                                           #\x1B[0m"
echo -e "\x1B[01;92m # Dynamic and Global Online IPset Whitelist was built into one file. To view the whitelist  #\x1B[0m"
echo -e "\x1B[01;92m # IP addresses, use ipset -L IPSET-WHITELIST | less for List name and properties.           #\x1B[0m"
echo -e "\x1B[01;92m #                                                                                           #\x1B[0m"
echo -e "\x1B[01;92m # To activate the Whitelist, enable the IPset rules inside the IPtables Script file under   #\x1B[0m"
echo -e "\x1B[01;92m # IPset section. Run IPtables Script again to route all traffic through Whitelist.          #\x1B[0m"
echo -e "\x1B[01;92m #                                                                                           #\x1B[0m"
echo -e "\x1B[01;92m #                                                                      CCNA HUB - Imad Daou #\x1B[0m"
echo -e "\x1B[01;92m #############################################################################################\x1B[0m"
echo
echo "swap $IPSET_WHITELIST_NAME $IPSET_TMP_WHITELIST_NAME" >> $IP_WHITELIST_RESTORE
echo "destroy $IPSET_TMP_WHITELIST_NAME" >> $IP_WHITELIST_RESTORE
ipset restore < $IP_WHITELIST_RESTORE