From 2b119b9b2274ec8ad8047077fa5efe6c5c293225 Mon Sep 17 00:00:00 2001
From: Pawel Krawczyk <p.krawczyk@kainos.com>
Date: Tue, 23 Dec 2014 12:20:16 +0000
Subject: [PATCH] initialize a manual-blacklist set

---
 blacklist.sh | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/blacklist.sh b/blacklist.sh
index f6185b2..2b25190 100644
--- a/blacklist.sh
+++ b/blacklist.sh
@@ -31,15 +31,25 @@ if ! iptables -L | grep -q "Chain ${blocklist_chain_name}"; then
 fi
 
 # inject references to blocklist in the beginning of input and forward chains
-if ! iptables -L INPUT|grep -q ${blocklist_chain_name}; then
+if ! iptables -L INPUT | grep -q ${blocklist_chain_name}; then
   iptables -I INPUT 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
 fi
-if ! iptables -L FORWARD|grep -q ${blocklist_chain_name}; then
+if ! iptables -L FORWARD | grep -q ${blocklist_chain_name}; then
   iptables -I FORWARD 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
 fi                                                                 
 
+# flush the chain referencing blacklists, they will be restored in a second
 iptables -F ${blocklist_chain_name}
+
+# create the "manual" blacklist set
+set_name="manual-blacklist"
+if ! ipset list | grep -q "Name: ${set_name}"; then
+    ipset create "${set_name}" hash:net
+fi
+iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
+iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -j DROP
                                                                       
+# now process the dynamic blacklists
 for url in $urls; do
     # initialize temp files
     unsorted_blocklist=$(mktemp)