#!/bin/bash
# cron.hourly script to block tor exit node 
# Despite been a cron.hourly, the cron can be limited to a different frequency - see RUNON
#
# Copyright (c)2017 doekia Enter-Solutions GPL
#
# Fetch the https://check.torproject.org/cgi-bin/TorBulkExitList.py
# and block ip nodes listed there.
#

# uncomment this line to change frequency behaviour
# it is a list of valid hour to update the set - e.g. 0 8 16 = every 8 hours
#RUNON='0 8 16'


##############################################
if [ "$RUNON" != "" ]; then
	# Check the time to limit on whishes
	H=$(date +%H)
	T=$(echo "$RUNON" | egrep "^$H | $H | $H$|^$H$")
	if [ "$RUNON" != "$T" ]; then
  		exit 0;
	fi
fi

PID=$$

# Create the set if it does not exists
if ! ipset -q -L tor >/dev/null 2>&1; then
	ipset -N tor iphash
	iptables -I INPUT -m set --match-set tor src -j DROP
fi

# Fetch the torexit list
wget -q 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1' -O - | sed '/^#/d' | sort -u > /tmp/$PID.tor.txt
# Recover the set list
ipset -L tor | grep -E '^[[:digit:]]+(\.[[:digit:]]+){3}$' | sort -u > /tmp/$PID.set.txt


# find the recent torexit node and add them to the set
for node in $(comm -2 -3 /tmp/$PID.tor.txt /tmp/$PID.set.txt); do
	ipset -q -A tor $node
done

# remove those not longer torexit node from the set
for node in $(comm -1 -3 /tmp/$PID.tor.txt /tmp/$PID.set.txt); do
	ipset -q -D tor $node
done

rm /tmp/$PID.tor.txt /tmp/$PID.set.txt