diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2017-09-15 14:44:39.000000000 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2019-07-23 02:54:03.000000000 +0200
@@ -1 +0,0 @@
-A1
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.259411436 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:20:21.597404763 +0200
@@ -197,4 +197,25 @@
Too many countries chosen: {$ctr}
+
+ LABEL_REVERSE_MATCH
+ Reject if
+
+
+
+ DESC_REVERSE_MATCH
+ The following option allow to chose if you want reject visitors from the country list (==) which is the default behaviour, or if you want to only let them in (!=).
+
+
+
+ LABEL_OTHERS
+ General filter only for services without rules
+
+
+
+ DESC_OTHERS
+ Choose if you want to have the general filter to apply to all incoming connections or if you do not want to filter ports already defined with a specific service rule. This would allow you to have a service less restricted than the general rule if you enable this.
+
+
+
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-23 03:16:53.270411434 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-22 03:12:53.000000000 +0200
@@ -8,14 +8,10 @@
my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
my $port;
- my $locPorts;
+ my @locPorts;
my $servStatus;
my $locBC;
- if ($GP eq 'enabled')
- {
- if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
- {
- # to allow reload
+ # to allow reload
$OUT .=<<'EOF';
# A blacklist chain for xtables-addons GEOIP
/sbin/iptables --new-chain XTGeoIP
@@ -24,8 +20,34 @@
/sbin/iptables --insert INPUT 1 \
-j XTGeoIP
EOF
+
+ if ($GP eq 'enabled')
+ {
+ if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
+ {
+
+# do not block LAN
+ my $locals = "@locals";
+ if (@locals)
+ {
+ # Make a new local_chk chain and add any networks found in networks db
+ foreach my $local (@locals)
+ {
+ # If the network is a remote vpn subnet, restrict it to the ipsec0
+ # interface.
+ my ($net, $msk) = split /\//, $local;
+ my $netrec = $nets->get($net);
+ die "Can't find network $net in networks db!\n" unless $netrec;
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -s $local";
+ if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
+ {
+ $OUT .= " --in-interface ipsec0";
+ }
+ $OUT .= " -j RETURN\n";
+ }
+ }
+
##adding here for service specific
- $locPorts='';
my @services = split(/,/, $masq{'XtServices'});
foreach my $servName (@services)
@@ -34,22 +56,27 @@
my $servStatus = ${$servName}{'status'} || 'disabled';
my $servAccess = ${$servName}{'access'} || 'private';
my $locBC = ${$servName}{'BadCountries'} || '';
+ my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
- $locPorts .= "$port,";
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
+ push @locPorts, $port;
+ my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
}
}
# block for other or all should move there
if ($BC ne '') {
- if ($locPorts ne '') {
- $locPorts = substr $locPorts, 0, -1;
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
+ my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
+ my $others = ( ( $masq{'XTGeoipOther'} || 'enabled') eq "disabled") ? 1 : 0;
+ @locPorts = () unless $others;
+ if (@locPorts != 0) {
+ my $LocPorts = join ',', @locPorts;
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
} else {
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j DROP\n";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
}
}
$OUT .= " /sbin/iptables --append XTGeoIP_1" .
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-23 03:16:53.293411435 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-22 00:35:29.000000000 +0200
@@ -7,11 +7,11 @@
my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
my $port;
- my $locPorts;
+ my @locPorts;
my $servStatus;
my $locBC;
- # to allow reload without locking just after initial install
+ # to allow reload without locking just after initial install
$OUT .=<<'EOF';
iptables -n --list XTGeoIP >/dev/null 2>&1
test=$?
@@ -36,8 +36,28 @@
{
if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
{
- # add content here
- $locPorts = '';
+
+# do not block LAN
+ my $locals = "@locals";
+ if (@locals)
+ {
+ # Make a new local_chk chain and add any networks found in networks db
+ foreach my $local (@locals)
+ {
+ # If the network is a remote vpn subnet, restrict it to the ipsec0
+ # interface.
+ my ($net, $msk) = split /\//, $local;
+ my $netrec = $nets->get($net);
+ die "Can't find network $net in networks db!\n" unless $netrec;
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local";
+ if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
+ {
+ $OUT .= " --in-interface ipsec0";
+ }
+ $OUT .= " -j RETURN\n";
+ }
+ }
+
my @services = split(/,/, $masq{'XtServices'});
foreach my $servName (@services)
@@ -46,33 +66,27 @@
my $servStatus = ${$servName}{'status'} || 'disabled';
my $servAccess = ${$servName}{'access'} || 'private';
my $locBC = ${$servName}{'BadCountries'} || '';
+ my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
- $locPorts .= "$port,";
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
+ push @locPorts, $port;
+ my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
}
}
- ##adding here for service specific
- # imaps 993
- #$locBC = $imaps{BadCountries} || '';
- #$servStatus = $imaps{'status'} || 'disabled';
- #$port = $imaps{'TCPPort'} || '993';
- #if ($servStatus eq 'enabled' and $locBC ne '') {
- # $locPorts .= "${port},";
- # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: IMAPS\"\n";
- # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
- #}
-
# block for all or other ports should move there
if ($BC ne '') {
- if ($locPorts ne '') {
- $locPorts = substr $locPorts, 0, -1;
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
+ my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
+ my $others = ( ( $masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0;
+ @locPorts = () unless $others;
+ if (@locPorts != 0) {
+ my $LocPorts = join ',', @locPorts;
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
} else {
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j DROP\n";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
}
}
$OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" .
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.279411436 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 02:18:09.000000000 +0200
@@ -81,7 +81,7 @@
+ value="get_badcountries(1)">
@@ -102,7 +102,6 @@
SERVICE_DESCRIPTION
-
@@ -128,10 +127,20 @@
DESC_GEOIP
+
+
+ DESC_REVERSE_MATCH
+
+
DESC_BADCOUNTRIES
@@ -140,9 +149,18 @@
+ value="get_badcountries(1)">
+
+
+
+ DESC_OTHERS
+
+ value="get_badcountries(1)">
@@ -187,14 +205,24 @@
+ value="get_badcountries(1)">
+
+
+ DESC_REVERSE_MATCH
+
+
DESC_BADCOUNTRIES
@@ -203,7 +231,7 @@
+ value="get_srv_badcountries(1)">
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/panels/manager/cgi-bin/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/panels/manager/cgi-bin/xt_geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/panels/manager/cgi-bin/xt_geoip 2019-07-23 03:16:53.279411436 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/panels/manager/cgi-bin/xt_geoip 2019-07-23 02:18:09.000000000 +0200
@@ -81,7 +81,7 @@
+ value="get_badcountries(1)">
@@ -102,7 +102,6 @@
SERVICE_DESCRIPTION
-
@@ -128,10 +127,20 @@
DESC_GEOIP
+
+
+ DESC_REVERSE_MATCH
+
+
DESC_BADCOUNTRIES
@@ -140,9 +149,18 @@
+ value="get_badcountries(1)">
+
+
+
+ DESC_OTHERS
+
+ value="get_badcountries(1)">
@@ -187,14 +205,24 @@
+ value="get_badcountries(1)">
+
+
+ DESC_REVERSE_MATCH
+
+
DESC_BADCOUNTRIES
@@ -203,7 +231,7 @@
+ value="get_srv_badcountries(1)">
diff -Nur smeserver-xt_geoip-1.0.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/xt_geoip.pm smeserver-xt_geoip-1.0.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/xt_geoip.pm
--- smeserver-xt_geoip-1.0.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/xt_geoip.pm 2019-07-23 03:16:53.284411435 +0200
+++ smeserver-xt_geoip-1.0.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/xt_geoip.pm 2019-07-23 02:49:15.000000000 +0200
@@ -23,6 +23,7 @@
get_value
get_badcountries
get_geoip
+ get_reverse
print_service_table
get_stat_geoip
print_custom_button
@@ -139,7 +140,12 @@
sub get_badcountries
{
- return $db->get_prop("masq", "BadCountries");
+ my $self = shift;
+ my $full = shift;
+ my $badc=$db->get_prop("masq", "BadCountries")||"";
+ return $badc unless $full ;
+ my $rev = (($db->get_prop("masq", "XTGeoipRev")||"disabled") eq "enabled") ? "!=" : "==";
+ return "$rev $badc ";
}
=head2 get_geoip
@@ -152,6 +158,20 @@
return $db->get_prop("masq", "GeoIP") || 'disabled';
}
+=head2 get_reverse
+
+method to retrieve the value of geoip for the form
+=cut
+
+sub get_reverse
+{
+ my $fm = shift;
+ my $item = shift;
+ my $prop = shift;
+ $item = ($item eq 'masq') ? $item : $fm->cgi->param('name');
+ return $db->get_prop("$item", "$prop") || "disabled";
+}
+
=head2 get_stat_geoip
method to retrieve the status of geoip for the form
@@ -189,15 +209,23 @@
my $mq_bc = get_badcountries();
my $mq_gp = get_geoip();
- my $n_mq_bc = $q->param("masq_badcountries") || $mq_bc;
+ my $masq = $db->get('masq') || "disabled";
+ my $mq_rv = $masq->prop('XTGeoipRev') || 'disabled';
+ my $mq_ot = $masq->prop('XTGeoipOther') || 'disabled';
+
+ my $n_mq_bc = $q->param("masq_badcountries");
my $n_mq_gp = $q->param("masq_geoip") || $mq_gp;
my $n_upd_gp = $q->param("update_geoip") || '';
-
- if (($n_mq_bc eq $mq_bc) && ($n_mq_gp eq $mq_gp) && ($n_upd_gp eq 'NO')) {
+ my $n_mq_rv = $q->param("masq_reverse") || $mq_rv ;
+ my $n_mq_ot = $q->param("masq_others") || $mq_ot ;
+
+ if (($n_mq_bc eq $mq_bc) && ($n_mq_gp eq $mq_gp) && ($n_upd_gp eq 'NO') && ($n_mq_rv eq $mq_rv) && ($n_mq_ot eq $mq_ot)) {
return $self->success("NO_CHANGE")
}
$db->set_prop("masq", "BadCountries", $n_mq_bc);
$db->set_prop("masq", "GeoIP", $n_mq_gp);
+ $db->set_prop("masq", "XTGeoipRev", $n_mq_rv);
+ $db->set_prop("masq", "XTGeoipOther", $n_mq_ot);
my $eventloc = "xt_geoip-modify";
$eventloc = "xt_geoip-update" if $n_upd_gp eq 'YES';
@@ -293,9 +321,13 @@
sub get_srv_badcountries
{
- my ($self) = @_;
+ my $self = shift;
my $name = $self->cgi->param('name');
- return $db->get_prop($name, "BadCountries");
+ my $full = shift;
+ my $badc=$db->get_prop($name, "BadCountries")||"";
+ return $badc unless $full ;
+ my $rev = (($db->get_prop($name, "XTGeoipRev")||"disabled") eq "enabled") ? "!=" : "==";
+ return "$rev $badc ";
}
sub print_service_table {
@@ -338,6 +370,7 @@
my $status = $i->prop('status');
my $access = $i->prop('access');
my $servBC = $i->prop('BadCountries') || ' ';
+ my $servRev = (( $i->prop('XTGeoipRev')|| 'disabled') eq 'disabled' )? '==': '!=';
my $params = $self->build_serv_cgi_params($servname, $i->props());
@@ -352,13 +385,15 @@
. ' ';
my $color = 'red';
- if ($status eq 'disabled' || $access ne 'public') { $color = 'green'; }
+ my $deco= "none";
+ if ($servRev eq '!=' ) { $color = 'green'; }
+ if ($status eq 'disabled' || $access ne 'public') { $color = 'grey'; $deco= "line-through"; }
print $q->Tr (
esmith::cgi::genSmallCell($q, $servname,"normal"),
esmith::cgi::genSmallCell($q, $port,"normal"),
- esmith::cgi::genSmallCell($q, $status,"header"),
- esmith::cgi::genSmallCell($q, $access,"header"),
- esmith::cgi::genSmallCell($q, "" . $servBC . "","header"),
+ esmith::cgi::genSmallCell($q, $status,"normal"),
+ esmith::cgi::genSmallCell($q, $access,"normal"),
+ esmith::cgi::genSmallCell($q, "" . "$servRev $servBC" . "","normal"),
esmith::cgi::genSmallCell($q, $actionModify,"normal"),
esmith::cgi::genSmallCell($q, $actionRemove,"normal"));
}
@@ -386,7 +421,8 @@
if (my $serv = $db->get($name)) {
my $servBC = $serv->prop('BadCountries') || '';
if ($servBC ne '') {
- $db->set_prop($name, "BadCountries", '');
+ my $tps = $db->set_prop_and_delete($name, "BadCountries");
+ $tps = $db->get_prop_and_delete($name, "XTGeoipRev");
# Untaint $name before use in system()
# $name =~ /(.+)/; $name = $1;
if (system ("/sbin/e-smith/signal-event", "xt_geoip-service") == 0)
@@ -410,14 +446,17 @@
my $name = $self->cgi->param('name');
if (my $serv = $db->get($name)) {
my $servBC = $serv->prop('BadCountries') || '';
+ my $servRev = $serv->prop('XTGeoipRev') || 'disabled';
my $q = $self->{'cgi'};
- my $n_servBC = $q->param("masq_srv_badcountries") || $servBC;
-
- if ($n_servBC eq $servBC) {
+ my $n_servBC = $q->param("masq_srv_badcountries");
+ my $n_servRev = $q->param("masq_srv_reverse") || $servRev;
+
+ if ($n_servBC eq $servBC && $n_servRev eq $servRev ) {
return $self->success("NO_CHANGE")
}
$db->set_prop($name, "BadCountries", $n_servBC);
+ $db->set_prop($name, "XTGeoipRev", $n_servRev);
if (system ( "/sbin/e-smith/signal-event", "xt_geoip-service" ) == 0 )
{