smeserver-xt_geoip/contribs9/smeserver-xt_geoip-1.0.1-bz10760-per_serv2.patch

diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries   2017-09-15 14:44:39.000000000 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries       2019-07-23 02:54:03.000000000 +0200
@@ -1 +0,0 @@
-A1
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip       2019-07-23 03:16:53.259411436 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip   2019-07-23 03:20:21.597404763 +0200
@@ -197,4 +197,25 @@
            <trans>Too many countries chosen: {$ctr}</trans>
     </entry>
 
+    <entry>
+            <base>LABEL_REVERSE_MATCH</base>
+            <trans>Reject if</trans>
+    </entry>
+
+    <entry>
+            <base>DESC_REVERSE_MATCH</base>
+            <trans>The following option allow to chose if you want reject visitors from the country list (==) which is the default behaviour, or if you want to only let them in (!=).</trans>
+    </entry>
+
+    <entry>
+            <base>LABEL_OTHERS</base>
+            <trans>General filter only for services without rules</trans>
+    </entry>
+
+    <entry>
+            <base>DESC_OTHERS</base>
+            <trans>Choose if you want to have the general filter to apply to all incoming connections or if you do not want to filter ports already defined with a specific service rule. This would allow you to have a service less restricted than the general rule if you enable this.</trans>
+    </entry>
+
+
 </lexicon>
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip     2019-07-23 03:16:53.270411434 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-22 03:12:53.000000000 +0200
@@ -8,14 +8,10 @@
     my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
     my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
     my $port;
-    my $locPorts;
+    my @locPorts;
     my $servStatus;
     my $locBC;
-    if ($GP eq 'enabled')
-    {
-        if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
-        {
-            # to allow reload      
+   # to allow reload      
             $OUT .=<<'EOF';
    # A blacklist chain for xtables-addons GEOIP
     /sbin/iptables --new-chain XTGeoIP
@@ -24,8 +20,34 @@
     /sbin/iptables --insert INPUT 1 \
        -j XTGeoIP
 EOF
+
+    if ($GP eq 'enabled')
+    {
+        if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
+        {
+
+# do not block LAN
+    my $locals = "@locals";
+    if (@locals)
+    {
+        # Make a new local_chk chain and add any networks found in networks db
+        foreach my $local (@locals)
+        {
+            # If the network is a remote vpn subnet, restrict it to the ipsec0
+            # interface.
+            my ($net, $msk) = split /\//, $local;
+            my $netrec = $nets->get($net);
+            die "Can't find network $net in networks db!\n" unless $netrec;
+            $OUT .= "    /sbin/iptables -A XTGeoIP_1 -s $local";
+            if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
+            {
+                $OUT .= " --in-interface ipsec0";
+            }
+            $OUT .= " -j RETURN\n";
+        }
+    }
+
     ##adding here for service specific
-    $locPorts='';
     
        my @services = split(/,/, $masq{'XtServices'});
        foreach my $servName (@services) 
@@ -34,22 +56,27 @@
            my $servStatus = ${$servName}{'status'} || 'disabled';
            my $servAccess = ${$servName}{'access'} || 'private';
            my $locBC = ${$servName}{'BadCountries'} || '';
+           my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!":  "";
            if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
-               $locPorts .= "$port,";
-                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
-                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
+               push  @locPorts, $port;
+                my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
+                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
+                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
            }
        }
 
     # block for other or all should move there
     if ($BC ne '') {
-       if ($locPorts ne '') {
-               $locPorts = substr $locPorts, 0, -1;
-                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
-                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts  --src-cc $BC -j DROP\n";
+       my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!":  "";
+       my $others = ( ( $masq{'XTGeoipOther'}  || 'enabled') eq "disabled") ? 1 : 0;
+       @locPorts = () unless $others;
+       if (@locPorts != 0) {
+               my $LocPorts = join ',', @locPorts;
+                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
+                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
        } else {
-                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
-                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j DROP\n";
+                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
+                $OUT .= "    /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
         }
     }
     $OUT .= "    /sbin/iptables --append  XTGeoIP_1" .
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip       2019-07-23 03:16:53.293411435 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip   2019-07-22 00:35:29.000000000 +0200
@@ -7,11 +7,11 @@
     my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
     my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
     my $port;
-    my $locPorts;
+    my @locPorts;
     my $servStatus;
     my $locBC;
 
-   # to allow reload  without locking  just after initial  install
+   # to allow reload  without locking  just after initial  install   
    $OUT .=<<'EOF';
    iptables -n --list XTGeoIP >/dev/null 2>&1
    test=$?
@@ -36,8 +36,28 @@
     {
         if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
         {
-        # add content here
-       $locPorts = '';
+
+# do not block LAN
+    my $locals = "@locals";
+    if (@locals)
+    {
+        # Make a new local_chk chain and add any networks found in networks db
+        foreach my $local (@locals)
+        {
+            # If the network is a remote vpn subnet, restrict it to the ipsec0
+            # interface.
+            my ($net, $msk) = split /\//, $local;
+            my $netrec = $nets->get($net);
+            die "Can't find network $net in networks db!\n" unless $netrec;
+            $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s $local";
+            if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
+            {
+                $OUT .= " --in-interface ipsec0";
+            }
+            $OUT .= " -j RETURN\n";
+        }
+    }
+
        my @services = split(/,/, $masq{'XtServices'});
        
        foreach my $servName (@services) 
@@ -46,33 +66,27 @@
            my $servStatus = ${$servName}{'status'} || 'disabled';
            my $servAccess = ${$servName}{'access'} || 'private';
            my $locBC = ${$servName}{'BadCountries'} || '';
+            my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!":  "";
            if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
-               $locPorts .= "$port,";
-                $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
-                $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
+                push  @locPorts, $port;
+               my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
+                $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
+                $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
            }
        }
 
-            ##adding here for service specific
-                # imaps 993
-                #$locBC = $imaps{BadCountries} || '';
-                #$servStatus = $imaps{'status'} || 'disabled';
-                #$port = $imaps{'TCPPort'} || '993';
-                #if ($servStatus eq 'enabled' and $locBC ne '') {
-               #       $locPorts .= "${port},";
-                #        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: IMAPS\"\n";
-                #        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
-                #}
-
                 # block for all or other ports should move there
                 if ($BC ne '') {
-                   if ($locPorts ne '') {
-                       $locPorts = substr $locPorts, 0, -1;
-                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
-                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts  --src-cc $BC -j DROP\n";
+                   my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!":  "";
+                   my $others = ( ( $masq{'XTGeoipOther'}  || 'disabled') eq "enabled") ? 1 : 0;
+                   @locPorts = () unless $others;
+                   if (@locPorts != 0) {
+                       my $LocPorts = join ',', @locPorts;
+                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
+                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts  $reverse --src-cc $BC -j DROP\n";
                    } else {
-                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
-                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j DROP\n";
+                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
+                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
                    }
                 }
                 $OUT .= "    /sbin/iptables --append  \$NEW_XTGeoIP" .
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip        2019-07-23 03:16:53.279411436 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip    2019-07-23 02:18:09.000000000 +0200
@@ -81,7 +81,7 @@
        <field
            type="literal"
            id="badcountries"
-           value="get_badcountries()">
+           value="get_badcountries(1)">
            <label>LABEL_BADCOUNTRIES_STATUS</label>
        </field>        
 
@@ -102,7 +102,6 @@
         <field type="literal" id="service_label" value="">
             <description>SERVICE_DESCRIPTION</description>
         </field>
-
         <subroutine src="print_custom_button('PER_SERVICE_GEOIP', 'Service', '')"/>
 
         <field type="literal" id="stats_label" value="">
@@ -128,10 +127,20 @@
             <description>DESC_GEOIP</description>
         </field>
 
+        <field
+            type="select"
+            id="masq_reverse"
+            options="'enabled' => '!=', 'disabled' => '=='"
+            value="get_reverse('masq','XTGeoipRev')">
+            <label>LABEL_REVERSE_MATCH</label>
+            <description>DESC_REVERSE_MATCH</description>
+        </field>
+
        <field
            type="text"
            id="masq_badcountries"
            size="64"
+            value="get_badcountries(0)"
            validation="must_exist()">
            <label>LABEL_BADCOUNTRIES</label>
            <description>DESC_BADCOUNTRIES</description>
@@ -140,9 +149,18 @@
        <field
            type="literal"
            id="badcountries"
-           value="get_badcountries()">
+           value="get_badcountries(1)">
            <label>LABEL_BADCOUNTRIES_STATUS</label>
        </field>        
+
+        <field
+            type="select"
+            id="masq_others"
+            options="'enabled' => 'enabled', 'disabled' => 'disabled'"
+            value="get_reverse('masq','XTGeoipOther')">
+            <label>LABEL_OTHERS</label>
+            <description>DESC_OTHERS</description>
+        </field>
        
        <field
             type="select"
@@ -163,7 +181,7 @@
        <field
            type="literal"
            id="badcountries"
-           value="get_badcountries()">
+           value="get_badcountries(1)">
            <label>LABEL_BADCOUNTRIES_STATUS</label>
        </field>        
         <subroutine src="print_service_table()" />
@@ -187,14 +205,24 @@
        <field
            type="literal"
            id="badcountries"
-           value="get_badcountries()">
+           value="get_badcountries(1)">
            <label>LABEL_BADCOUNTRIES_STATUS</label>
        </field>        
 
+        <field
+            type="select"
+            id="masq_srv_reverse"
+            options="'enabled' => '!=', 'disabled' => '=='"
+            value="get_reverse('','XTGeoipRev')">
+            <label>LABEL_REVERSE_MATCH</label>
+            <description>DESC_REVERSE_MATCH</description>
+        </field>
+
        <field
            type="text"
            id="masq_srv_badcountries"
            size="64"
+            value="get_srv_badcountries(0)"
            validation="srv_must_exist()">
            <label>LABEL_BADCOUNTRIES</label>
            <description>DESC_BADCOUNTRIES</description>
@@ -203,7 +231,7 @@
        <field
            type="literal"
            id="srv_badcountries"
-           value="get_srv_badcountries()">
+           value="get_srv_badcountries(1)">
            <label>LABEL_SERV_BADCOUNTRIES_STATUS</label>
        </field>
 
1	diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries
2	--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2017-09-15 14:44:39.000000000 +0200
3	+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2019-07-23 02:54:03.000000000 +0200
4	@@ -1 +0,0 @@
5	-A1
6	diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip
7	--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.259411436 +0200
8	+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:20:21.597404763 +0200
9	@@ -197,4 +197,25 @@
10	<trans>Too many countries chosen: {$ctr}</trans>
11	</entry>
12
13	+ <entry>
14	+ <base>LABEL_REVERSE_MATCH</base>
15	+ <trans>Reject if</trans>
16	+ </entry>
17	+
18	+ <entry>
19	+ <base>DESC_REVERSE_MATCH</base>
20	+ <trans>The following option allow to chose if you want reject visitors from the country list (==) which is the default behaviour, or if you want to only let them in (!=).</trans>
21	+ </entry>
22	+
23	+ <entry>
24	+ <base>LABEL_OTHERS</base>
25	+ <trans>General filter only for services without rules</trans>
26	+ </entry>
27	+
28	+ <entry>
29	+ <base>DESC_OTHERS</base>
30	+ <trans>Choose if you want to have the general filter to apply to all incoming connections or if you do not want to filter ports already defined with a specific service rule. This would allow you to have a service less restricted than the general rule if you enable this.</trans>
31	+ </entry>
32	+
33	+
34	</lexicon>
35	diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
36	--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-23 03:16:53.270411434 +0200
37	+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-22 03:12:53.000000000 +0200
38	@@ -8,14 +8,10 @@
39	my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
40	my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
41	my $port;
42	- my $locPorts;
43	+ my @locPorts;
44	my $servStatus;
45	my $locBC;
46	- if ($GP eq 'enabled')
47	- {
48	- if (-s $PATH_MODULE \|\| -s $PATH2_MODULE \|\| -s $PATH3_MODULE)
49	- {
50	- # to allow reload
51	+ # to allow reload
52	$OUT .=<<'EOF';
53	# A blacklist chain for xtables-addons GEOIP
54	/sbin/iptables --new-chain XTGeoIP
55	@@ -24,8 +20,34 @@
56	/sbin/iptables --insert INPUT 1 \
57	-j XTGeoIP
58	EOF
59	+
60	+ if ($GP eq 'enabled')
61	+ {
62	+ if (-s $PATH_MODULE \|\| -s $PATH2_MODULE \|\| -s $PATH3_MODULE)
63	+ {
64	+
65	+# do not block LAN
66	+ my $locals = "@locals";
67	+ if (@locals)
68	+ {
69	+ # Make a new local_chk chain and add any networks found in networks db
70	+ foreach my $local (@locals)
71	+ {
72	+ # If the network is a remote vpn subnet, restrict it to the ipsec0
73	+ # interface.
74	+ my ($net, $msk) = split /\//, $local;
75	+ my $netrec = $nets->get($net);
76	+ die "Can't find network $net in networks db!\n" unless $netrec;
77	+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -s $local";
78	+ if (($netrec->prop('remoteVPNSubnet') \|\| 'no') eq 'yes')
79	+ {
80	+ $OUT .= " --in-interface ipsec0";
81	+ }
82	+ $OUT .= " -j RETURN\n";
83	+ }
84	+ }
85	+
86	##adding here for service specific
87	- $locPorts='';
88
89	my @services = split(/,/, $masq{'XtServices'});
90	foreach my $servName (@services)
91	@@ -34,22 +56,27 @@
92	my $servStatus = ${$servName}{'status'} \|\| 'disabled';
93	my $servAccess = ${$servName}{'access'} \|\| 'private';
94	my $locBC = ${$servName}{'BadCountries'} \|\| '';
95	+ my $reverse = ( ( ${$servName}{'XTGeoipRev'} \|\| 'disabled' ) eq "enabled" )? "!": "";
96	if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
97	- $locPorts .= "$port,";
98	- $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
99	- $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
100	+ push @locPorts, $port;
101	+ my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
102	+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
103	+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
104	}
105	}
106
107	# block for other or all should move there
108	if ($BC ne '') {
109	- if ($locPorts ne '') {
110	- $locPorts = substr $locPorts, 0, -1;
111	- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
112	- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
113	+ my $reverse = ( ( $masq{'XTGeoipRev'} \|\| 'disabled' ) eq "enabled" )? "!": "";
114	+ my $others = ( ( $masq{'XTGeoipOther'} \|\| 'enabled') eq "disabled") ? 1 : 0;
115	+ @locPorts = () unless $others;
116	+ if (@locPorts != 0) {
117	+ my $LocPorts = join ',', @locPorts;
118	+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
119	+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
120	} else {
121	- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
122	- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j DROP\n";
123	+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
124	+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
125	}
126	}
127	$OUT .= " /sbin/iptables --append XTGeoIP_1" .
128	diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
129	--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-23 03:16:53.293411435 +0200
130	+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-22 00:35:29.000000000 +0200
131	@@ -7,11 +7,11 @@
132	my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
133	my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
134	my $port;
135	- my $locPorts;
136	+ my @locPorts;
137	my $servStatus;
138	my $locBC;
139
140	- # to allow reload without locking just after initial install
141	+ # to allow reload without locking just after initial install
142	$OUT .=<<'EOF';
143	iptables -n --list XTGeoIP >/dev/null 2>&1
144	test=$?
145	@@ -36,8 +36,28 @@
146	{
147	if (-s $PATH_MODULE \|\| -s $PATH2_MODULE \|\| -s $PATH3_MODULE)
148	{
149	- # add content here
150	- $locPorts = '';
151	+
152	+# do not block LAN
153	+ my $locals = "@locals";
154	+ if (@locals)
155	+ {
156	+ # Make a new local_chk chain and add any networks found in networks db
157	+ foreach my $local (@locals)
158	+ {
159	+ # If the network is a remote vpn subnet, restrict it to the ipsec0
160	+ # interface.
161	+ my ($net, $msk) = split /\//, $local;
162	+ my $netrec = $nets->get($net);
163	+ die "Can't find network $net in networks db!\n" unless $netrec;
164	+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local";
165	+ if (($netrec->prop('remoteVPNSubnet') \|\| 'no') eq 'yes')
166	+ {
167	+ $OUT .= " --in-interface ipsec0";
168	+ }
169	+ $OUT .= " -j RETURN\n";
170	+ }
171	+ }
172	+
173	my @services = split(/,/, $masq{'XtServices'});
174
175	foreach my $servName (@services)
176	@@ -46,33 +66,27 @@
177	my $servStatus = ${$servName}{'status'} \|\| 'disabled';
178	my $servAccess = ${$servName}{'access'} \|\| 'private';
179	my $locBC = ${$servName}{'BadCountries'} \|\| '';
180	+ my $reverse = ( ( ${$servName}{'XTGeoipRev'} \|\| 'disabled' ) eq "enabled" )? "!": "";
181	if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
182	- $locPorts .= "$port,";
183	- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
184	- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
185	+ push @locPorts, $port;
186	+ my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
187	+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
188	+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
189	}
190	}
191
192	- ##adding here for service specific
193	- # imaps 993
194	- #$locBC = $imaps{BadCountries} \|\| '';
195	- #$servStatus = $imaps{'status'} \|\| 'disabled';
196	- #$port = $imaps{'TCPPort'} \|\| '993';
197	- #if ($servStatus eq 'enabled' and $locBC ne '') {
198	- # $locPorts .= "${port},";
199	- # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: IMAPS\"\n";
200	- # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
201	- #}
202	-
203	# block for all or other ports should move there
204	if ($BC ne '') {
205	- if ($locPorts ne '') {
206	- $locPorts = substr $locPorts, 0, -1;
207	- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
208	- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
209	+ my $reverse = ( ( $masq{'XTGeoipRev'} \|\| 'disabled' ) eq "enabled" )? "!": "";
210	+ my $others = ( ( $masq{'XTGeoipOther'} \|\| 'disabled') eq "enabled") ? 1 : 0;
211	+ @locPorts = () unless $others;
212	+ if (@locPorts != 0) {
213	+ my $LocPorts = join ',', @locPorts;
214	+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
215	+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
216	} else {
217	- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
218	- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j DROP\n";
219	+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
220	+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
221	}
222	}
223	$OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" .
224	diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip
225	--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.279411436 +0200
226	+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 02:18:09.000000000 +0200
227	@@ -81,7 +81,7 @@
228	<field
229	type="literal"
230	id="badcountries"
231	- value="get_badcountries()">
232	+ value="get_badcountries(1)">
233	<label>LABEL_BADCOUNTRIES_STATUS</label>
234	</field>
235
236	@@ -102,7 +102,6 @@
237	<field type="literal" id="service_label" value="">
238	<description>SERVICE_DESCRIPTION</description>
239	</field>
240	-
241	<subroutine src="print_custom_button('PER_SERVICE_GEOIP', 'Service', '')"/>
242
243	<field type="literal" id="stats_label" value="">
244	@@ -128,10 +127,20 @@
245	<description>DESC_GEOIP</description>
246	</field>
247
248	+ <field
249	+ type="select"
250	+ id="masq_reverse"
251	+ options="'enabled' => '!=', 'disabled' => '=='"
252	+ value="get_reverse('masq','XTGeoipRev')">
253	+ <label>LABEL_REVERSE_MATCH</label>
254	+ <description>DESC_REVERSE_MATCH</description>
255	+ </field>
256	+
257	<field
258	type="text"
259	id="masq_badcountries"
260	size="64"
261	+ value="get_badcountries(0)"
262	validation="must_exist()">
263	<label>LABEL_BADCOUNTRIES</label>
264	<description>DESC_BADCOUNTRIES</description>
265	@@ -140,9 +149,18 @@
266	<field
267	type="literal"
268	id="badcountries"
269	- value="get_badcountries()">
270	+ value="get_badcountries(1)">
271	<label>LABEL_BADCOUNTRIES_STATUS</label>
272	</field>
273	+
274	+ <field
275	+ type="select"
276	+ id="masq_others"
277	+ options="'enabled' => 'enabled', 'disabled' => 'disabled'"
278	+ value="get_reverse('masq','XTGeoipOther')">
279	+ <label>LABEL_OTHERS</label>
280	+ <description>DESC_OTHERS</description>
281	+ </field>
282
283	<field
284	type="select"
285	@@ -163,7 +181,7 @@
286	<field
287	type="literal"
288	id="badcountries"
289	- value="get_badcountries()">
290	+ value="get_badcountries(1)">
291	<label>LABEL_BADCOUNTRIES_STATUS</label>
292	</field>
293	<subroutine src="print_service_table()" />
294	@@ -187,14 +205,24 @@
295	<field
296	type="literal"
297	id="badcountries"
298	- value="get_badcountries()">
299	+ value="get_badcountries(1)">
300	<label>LABEL_BADCOUNTRIES_STATUS</label>
301	</field>
302
303	+ <field
304	+ type="select"
305	+ id="masq_srv_reverse"
306	+ options="'enabled' => '!=', 'disabled' => '=='"
307	+ value="get_reverse('','XTGeoipRev')">
308	+ <label>LABEL_REVERSE_MATCH</label>
309	+ <description>DESC_REVERSE_MATCH</description>
310	+ </field>
311	+
312	<field
313	type="text"
314	id="masq_srv_badcountries"
315	size="64"
316	+ value="get_srv_badcountries(0)"
317	validation="srv_must_exist()">
318	<label>LABEL_BADCOUNTRIES</label>
319	<description>DESC_BADCOUNTRIES</description>
320	@@ -203,7 +231,7 @@
321	<field
322	type="literal"
323	id="srv_badcountries"
324	- value="get_srv_badcountries()">
325	+ value="get_srv_badcountries(1)">
326	<label>LABEL_SERV_BADCOUNTRIES_STATUS</label>
327	</field>
328