#!/bin/sh
#获取中国IP段

wget -c http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
cat delegated-apnic-latest | awk -F '|' '/CN/&&/ipv4/ {print $4 "/" 32-log($5)/log(2)}' | cat > ./cn_ip_list.conf


# install ipset
apt-get install ipset -y

# create china ipset and add cn_ip_list into china ipset
# https://ipset.netfilter.org/tips.html
ipset -N china_ip_set hash:net maxelem 65536
for ip in $(cat './cn_rules.conf'); do
  ipset add china_ip_set $ip
done

# iptable使用china_ip_set 配置防火墙

iptables -t nat -A GW2 -p tcp -m set --match-set china_ip_set dst -j RETURN