From 387241d1f368ae544c296a269fe262a1d03602a6 Mon Sep 17 00:00:00 2001
From: nnduc <nnduc@home>
Date: Sat, 30 May 2026 13:47:06 +0700
Subject: [PATCH] change to iptables

---
 iptables/china-block.service       | 13 +++++
 iptables/china-block.sh            | 86 ++++++++++++++++++++++++++++++
 iptables/china-unblock.sh          | 28 ++++++++++
 iptables/install.sh                | 10 ++++
 {ufw => iptables}/requirements.txt |  0
 ufw/china-block.sh                 | 48 -----------------
 ufw/china-unblock.sh               | 14 -----
 7 files changed, 137 insertions(+), 62 deletions(-)
 create mode 100644 iptables/china-block.service
 create mode 100755 iptables/china-block.sh
 create mode 100755 iptables/china-unblock.sh
 create mode 100644 iptables/install.sh
 rename {ufw => iptables}/requirements.txt (100%)
 delete mode 100755 ufw/china-block.sh
 delete mode 100755 ufw/china-unblock.sh

diff --git a/iptables/china-block.service b/iptables/china-block.service
new file mode 100644
index 0000000..0395aea
--- /dev/null
+++ b/iptables/china-block.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Block Chinese IP ranges via ipset + iptables
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/china-block.sh
+ExecStop=/usr/local/sbin/china-unblock.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/iptables/china-block.sh b/iptables/china-block.sh
new file mode 100755
index 0000000..19b06df
--- /dev/null
+++ b/iptables/china-block.sh
@@ -0,0 +1,86 @@
+#!/bin/bash
+set -e
+
+IPSET_NAME="china"
+CIDR_FILE="/tmp/cn.cidr"
+
+SOURCES=(
+    "https://www.ipdeny.com/ipblocks/data/countries/cn.zone"
+    "https://raw.githubusercontent.com/mayaxcn/china-ip-list/master/chnroute.txt"
+)
+
+echo "[*] Killing Steam..."
+pkill -9 -f steam || true
+
+echo "[*] Downloading CN IP ranges..."
+for url in "${SOURCES[@]}"; do
+    echo "    Trying $url ..."
+    wget -q "$url" -O "$CIDR_FILE"
+    if [[ $(wc -l < "$CIDR_FILE") -gt 10 ]]; then
+        echo "    [+] Success: $(wc -l < "$CIDR_FILE") entries"
+        break
+    fi
+done
+
+if [[ $(wc -l < "$CIDR_FILE") -lt 10 ]]; then
+    echo "[!] All sources failed. Aborting."
+    exit 1
+fi
+
+echo "[*] Creating ipset..."
+ipset create "$IPSET_NAME" hash:net 2>/dev/null || ipset flush "$IPSET_NAME"
+
+echo "[*] Populating ipset..."
+while IFS= read -r cidr; do
+    [[ -z "$cidr" || "$cidr" == \#* ]] && continue
+    ipset add "$IPSET_NAME" "$cidr" || true
+done < "$CIDR_FILE"
+
+echo "[*] Applying iptables rules..."
+iptables -A INPUT -m set --match-set "$IPSET_NAME" src -j DROP
+iptables -A OUTPUT -m set --match-set "$IPSET_NAME" dst -j DROP
+
+echo "[*] Applying raw table rules (block UDP hole punch)..."
+iptables -t raw -A PREROUTING -m set --match-set "$IPSET_NAME" src -j DROP
+iptables -t raw -A OUTPUT -m set --match-set "$IPSET_NAME" dst -j DROP
+
+CIDR6_FILE="/tmp/cn6.cidr"
+SOURCES6=(
+    "https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv6/cn.cidr"
+    "https://www.ipdeny.com/ipv6/ipaddresses/blocks/cn.cidr"
+)
+
+echo "[*] Downloading CN IPv6 ranges..."
+for url in "${SOURCES6[@]}"; do
+    echo "    Trying $url ..."
+    wget -q "$url" -O "$CIDR6_FILE"
+    if [[ $(wc -l < "$CIDR6_FILE") -gt 10 ]]; then
+        echo "    [+] Success: $(wc -l < "$CIDR6_FILE") entries"
+        break
+    fi
+done
+
+if [[ $(wc -l < "$CIDR6_FILE") -lt 10 ]]; then
+    echo "[!] All IPv6 sources failed. Skipping IPv6 blocking."
+else
+    ipset create china6 hash:net family inet6 2>/dev/null || ipset flush china6
+    while IFS= read -r cidr; do
+        [[ -z "$cidr" || "$cidr" == \#* ]] && continue
+        ipset add china6 "$cidr" || true
+    done < "$CIDR6_FILE"
+
+    ip6tables -A INPUT -m set --match-set china6 src -j DROP
+    ip6tables -A OUTPUT -m set --match-set china6 dst -j DROP
+    ip6tables -t raw -A PREROUTING -m set --match-set china6 src -j DROP
+    ip6tables -t raw -A OUTPUT -m set --match-set china6 dst -j DROP
+fi
+
+echo "[*] Saving rules..."
+mkdir -p /etc/iptables
+ipset save > /etc/ipset.conf
+iptables-save > /etc/iptables/iptables.rules
+ip6tables-save > /etc/iptables/ip6tables.rules
+systemctl enable --now iptables
+systemctl enable --now ip6tables 2>/dev/null || true
+
+echo "[+] Done! Chinese IPs are now blocked."
\ No newline at end of file
diff --git a/iptables/china-unblock.sh b/iptables/china-unblock.sh
new file mode 100755
index 0000000..e900611
--- /dev/null
+++ b/iptables/china-unblock.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+set -e
+
+IPSET_NAME="china"
+
+echo "[*] Removing iptables rules..."
+iptables -D INPUT -m set --match-set "$IPSET_NAME" src -j DROP 2>/dev/null || true
+iptables -D OUTPUT -m set --match-set "$IPSET_NAME" dst -j DROP 2>/dev/null || true
+
+echo "[*] Removing raw table rules..."
+iptables -t raw -D PREROUTING -m set --match-set "$IPSET_NAME" src -j DROP 2>/dev/null || true
+iptables -t raw -D OUTPUT -m set --match-set "$IPSET_NAME" dst -j DROP 2>/dev/null || true
+
+echo "[*] Removing ip6tables rules..."
+ip6tables -D INPUT -m set --match-set china6 src -j DROP 2>/dev/null || true
+ip6tables -D OUTPUT -m set --match-set china6 dst -j DROP 2>/dev/null || true
+ip6tables -t raw -D PREROUTING -m set --match-set china6 src -j DROP 2>/dev/null || true
+ip6tables -t raw -D OUTPUT -m set --match-set china6 dst -j DROP 2>/dev/null || true
+
+echo "[*] Destroying ipsets..."
+ipset destroy "$IPSET_NAME" 2>/dev/null || true
+ipset destroy china6 2>/dev/null || true
+rm -f /etc/ipset.conf /tmp/cn.cidr /tmp/cn6.cidr
+
+echo "[*] Clearing saved rules..."
+rm -f /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules
+
+echo "[+] Done! Chinese IPs are now unblocked."
\ No newline at end of file
diff --git a/iptables/install.sh b/iptables/install.sh
new file mode 100644
index 0000000..3c0933e
--- /dev/null
+++ b/iptables/install.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+
+install -m 755 china-block.sh   /usr/local/sbin/china-block.sh
+install -m 755 china-unblock.sh /usr/local/sbin/china-unblock.sh
+install -m 644 china-block.service /etc/systemd/system/china-block.service
+
+systemctl daemon-reload
+systemctl enable --now china-block
+echo "[+] china-block service installed and started."
diff --git a/ufw/requirements.txt b/iptables/requirements.txt
similarity index 100%
rename from ufw/requirements.txt
rename to iptables/requirements.txt
diff --git a/ufw/china-block.sh b/ufw/china-block.sh
deleted file mode 100755
index 82e5c64..0000000
--- a/ufw/china-block.sh
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/bash
-set -e
-
-IPSET_NAME="china"
-CIDR_FILE="/tmp/cn.cidr"
-UFW_RULE="/etc/ufw/applications.d/block-china"
-
-SOURCES=(
-    "https://www.ipdeny.com/ipblocks/data/countries/cn.zone"
-    "https://raw.githubusercontent.com/mayaxcn/china-ip-list/master/chnroute.txt"
-)
-
-echo "[*] Downloading CN IP ranges..."
-for url in "${SOURCES[@]}"; do
-    echo "    Trying $url ..."
-    wget -q "$url" -O "$CIDR_FILE"
-    if [[ $(wc -l < "$CIDR_FILE") -gt 10 ]]; then
-        echo "    [+] Success: $(wc -l < "$CIDR_FILE") entries"
-        break
-    fi
-done
-
-if [[ $(wc -l < "$CIDR_FILE") -lt 10 ]]; then
-    echo "[!] All sources failed. Aborting."
-    exit 1
-fi
-
-echo "[*] Creating ipset..."
-ipset create "$IPSET_NAME" hash:net 2>/dev/null || ipset flush "$IPSET_NAME"
-
-echo "[*] Populating ipset..."
-while IFS= read -r cidr; do
-    [[ -z "$cidr" ]] && continue
-    ipset add "$IPSET_NAME" "$cidr"
-done < "$CIDR_FILE"
-
-echo "[*] Saving ipset..."
-ipset save > /etc/ipset.conf
-
-echo "[*] Adding iptables rules directly..."
-iptables -A INPUT -m set --match-set "$IPSET_NAME" src -j DROP
-iptables -A OUTPUT -m set --match-set "$IPSET_NAME" dst -j DROP
-
-echo "[*] Saving iptables rules..."
-iptables-save > /etc/iptables/iptables.rules
-systemctl enable --now iptables
-
-echo "[+] Done! Chinese IPs are now blocked."
\ No newline at end of file
diff --git a/ufw/china-unblock.sh b/ufw/china-unblock.sh
deleted file mode 100755
index 0156b2e..0000000
--- a/ufw/china-unblock.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-set -e
-
-IPSET_NAME="china"
-
-echo "[*] Removing iptables rules..."
-iptables -D INPUT -m set --match-set "$IPSET_NAME" src -j DROP 2>/dev/null || true
-iptables -D OUTPUT -m set --match-set "$IPSET_NAME" dst -j DROP 2>/dev/null || true
-
-echo "[*] Destroying ipset..."
-ipset destroy "$IPSET_NAME" 2>/dev/null || true
-rm -f /etc/ipset.conf /tmp/cn.cidr /etc/iptables/iptables.rules
-
-echo "[+] Done! Chinese IPs are now unblocked."
\ No newline at end of file