#!/bin/bash

LIST_PATH="/path/to/firewall-blocks-list.txt"
BLACKLIST_URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset"
TMP_FILE="/tmp/firehol_blacklist.txt"

WHITELIST_DDNS=(your-safe-ddns1.com your-safe-ddns2.com)
WHITELIST_STATIC=(127.0.0.1 192.168.0.0/16)

echo "[ $(date '+%Y-%m-%d %H:%M:%S') ] 🛡 Starting firewall-blocks.sh"

for i in {1..10}; do
  if dig +short myip.opendns.com > /dev/null; then
    echo "   → DNS OK"
    break
  fi
  echo "   → Waiting for DNS..."
  sleep 5
done

echo "[*] Detecting public IP..."
PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
if [[ ! "$PUBLIC_IP" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  echo "[!] ERROR: Public IP not detected"
  exit 1
fi
echo "   → Public IP: $PUBLIC_IP"

echo "[*] Downloading FireHOL blacklist..."
curl -s "$BLACKLIST_URL" -o "$TMP_FILE"
if [[ ! -s "$TMP_FILE" ]]; then
  echo "[!] ERROR: blacklist not downloaded"
  exit 1
fi

if iptables -L BLACKLIST -n &>/dev/null; then
  iptables -F BLACKLIST
else
  iptables -N BLACKLIST
fi
iptables -D INPUT -j BLACKLIST 2>/dev/null

for ip in "${WHITELIST_STATIC[@]}"; do
  iptables -I BLACKLIST -s "$ip" -j ACCEPT
done

LOCAL_IP=$(ip route get 1 | awk '{print $7}' | head -1)
[[ "$LOCAL_IP" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && iptables -I BLACKLIST -s "$LOCAL_IP" -j ACCEPT
iptables -I BLACKLIST -s "$PUBLIC_IP" -j ACCEPT

for HOST in "${WHITELIST_DDNS[@]}"; do
  SAFE_IP=$(dig +short "$HOST" | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | head -1)
  [[ "$SAFE_IP" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && iptables -I BLACKLIST -s "$SAFE_IP" -j ACCEPT
done

echo "[*] Blocking static IPs from $LIST_PATH..."
if [[ -f "$LIST_PATH" ]]; then
  while IFS= read -r ip; do
    [[ "$ip" =~ ^#.*$ || -z "$ip" ]] && continue
    if [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?$ ]]; then
      echo "   → Blocking $ip"
      iptables -A BLACKLIST -s "$ip" -j DROP
    else
      echo "[!] Invalid IP: $ip"
    fi
  done < "$LIST_PATH"
else
  echo "[!] No static IP list found at $LIST_PATH"
fi

echo "[*] Blocking FireHOL IPs..."

touch "$LIST_PATH"

mapfile -t BAD_IPS < <(grep -Eo '^([0-9]{1,3}\.){3}[0-9]{1,3}(/([0-9]{1,2}))?$' "$TMP_FILE" | sort -u)
for ip in "${BAD_IPS[@]}"; do
  iptables -C BLACKLIST -s "$ip" -j DROP 2>/dev/null || iptables -A BLACKLIST -s "$ip" -j DROP
  grep -qxF "$ip" "$LIST_PATH" || echo "$ip" >> "$LIST_PATH"
done

iptables -C INPUT -j BLACKLIST 2>/dev/null || iptables -I INPUT -j BLACKLIST

echo "[✓] Firewall protection active with ${#BAD_IPS[@]} dynamic + static IPs."