diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2017-09-15 14:44:39.000000000 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2019-07-23 02:54:03.000000000 +0200
@@ -1 +0,0 @@
-A1
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.259411436 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:20:21.597404763 +0200
@@ -197,4 +197,25 @@
Too many countries chosen: {$ctr}
+
+ LABEL_REVERSE_MATCH
+ Reject if
+
+
+
+ DESC_REVERSE_MATCH
+ The following option allow to chose if you want reject visitors from the country list (==) which is the default behaviour, or if you want to only let them in (!=).
+
+
+
+ LABEL_OTHERS
+ General filter only for services without rules
+
+
+
+ DESC_OTHERS
+ Choose if you want to have the general filter to apply to all incoming connections or if you do not want to filter ports already defined with a specific service rule. This would allow you to have a service less restricted than the general rule if you enable this.
+
+
+
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-23 03:16:53.270411434 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-22 03:12:53.000000000 +0200
@@ -8,14 +8,10 @@
my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
my $port;
- my $locPorts;
+ my @locPorts;
my $servStatus;
my $locBC;
- if ($GP eq 'enabled')
- {
- if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
- {
- # to allow reload
+ # to allow reload
$OUT .=<<'EOF';
# A blacklist chain for xtables-addons GEOIP
/sbin/iptables --new-chain XTGeoIP
@@ -24,8 +20,34 @@
/sbin/iptables --insert INPUT 1 \
-j XTGeoIP
EOF
+
+ if ($GP eq 'enabled')
+ {
+ if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
+ {
+
+# do not block LAN
+ my $locals = "@locals";
+ if (@locals)
+ {
+ # Make a new local_chk chain and add any networks found in networks db
+ foreach my $local (@locals)
+ {
+ # If the network is a remote vpn subnet, restrict it to the ipsec0
+ # interface.
+ my ($net, $msk) = split /\//, $local;
+ my $netrec = $nets->get($net);
+ die "Can't find network $net in networks db!\n" unless $netrec;
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -s $local";
+ if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
+ {
+ $OUT .= " --in-interface ipsec0";
+ }
+ $OUT .= " -j RETURN\n";
+ }
+ }
+
##adding here for service specific
- $locPorts='';
my @services = split(/,/, $masq{'XtServices'});
foreach my $servName (@services)
@@ -34,22 +56,27 @@
my $servStatus = ${$servName}{'status'} || 'disabled';
my $servAccess = ${$servName}{'access'} || 'private';
my $locBC = ${$servName}{'BadCountries'} || '';
+ my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
- $locPorts .= "$port,";
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
+ push @locPorts, $port;
+ my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
}
}
# block for other or all should move there
if ($BC ne '') {
- if ($locPorts ne '') {
- $locPorts = substr $locPorts, 0, -1;
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
+ my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
+ my $others = ( ( $masq{'XTGeoipOther'} || 'enabled') eq "disabled") ? 1 : 0;
+ @locPorts = () unless $others;
+ if (@locPorts != 0) {
+ my $LocPorts = join ',', @locPorts;
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
} else {
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j DROP\n";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
+ $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
}
}
$OUT .= " /sbin/iptables --append XTGeoIP_1" .
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-23 03:16:53.293411435 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-22 00:35:29.000000000 +0200
@@ -7,11 +7,11 @@
my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
my $port;
- my $locPorts;
+ my @locPorts;
my $servStatus;
my $locBC;
- # to allow reload without locking just after initial install
+ # to allow reload without locking just after initial install
$OUT .=<<'EOF';
iptables -n --list XTGeoIP >/dev/null 2>&1
test=$?
@@ -36,8 +36,28 @@
{
if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
{
- # add content here
- $locPorts = '';
+
+# do not block LAN
+ my $locals = "@locals";
+ if (@locals)
+ {
+ # Make a new local_chk chain and add any networks found in networks db
+ foreach my $local (@locals)
+ {
+ # If the network is a remote vpn subnet, restrict it to the ipsec0
+ # interface.
+ my ($net, $msk) = split /\//, $local;
+ my $netrec = $nets->get($net);
+ die "Can't find network $net in networks db!\n" unless $netrec;
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local";
+ if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
+ {
+ $OUT .= " --in-interface ipsec0";
+ }
+ $OUT .= " -j RETURN\n";
+ }
+ }
+
my @services = split(/,/, $masq{'XtServices'});
foreach my $servName (@services)
@@ -46,33 +66,27 @@
my $servStatus = ${$servName}{'status'} || 'disabled';
my $servAccess = ${$servName}{'access'} || 'private';
my $locBC = ${$servName}{'BadCountries'} || '';
+ my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
- $locPorts .= "$port,";
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
+ push @locPorts, $port;
+ my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
}
}
- ##adding here for service specific
- # imaps 993
- #$locBC = $imaps{BadCountries} || '';
- #$servStatus = $imaps{'status'} || 'disabled';
- #$port = $imaps{'TCPPort'} || '993';
- #if ($servStatus eq 'enabled' and $locBC ne '') {
- # $locPorts .= "${port},";
- # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: IMAPS\"\n";
- # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
- #}
-
# block for all or other ports should move there
if ($BC ne '') {
- if ($locPorts ne '') {
- $locPorts = substr $locPorts, 0, -1;
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
+ my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
+ my $others = ( ( $masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0;
+ @locPorts = () unless $others;
+ if (@locPorts != 0) {
+ my $LocPorts = join ',', @locPorts;
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
} else {
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
- $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j DROP\n";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
+ $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
}
}
$OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" .
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.279411436 +0200
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 02:18:09.000000000 +0200
@@ -81,7 +81,7 @@
+ value="get_badcountries(1)">
@@ -102,7 +102,6 @@
SERVICE_DESCRIPTION
-
@@ -128,10 +127,20 @@
DESC_GEOIP
+
+
+ DESC_REVERSE_MATCH
+
+
DESC_BADCOUNTRIES
@@ -140,9 +149,18 @@
+ value="get_badcountries(1)">
+
+
+
+ DESC_OTHERS
+
+ value="get_badcountries(1)">
@@ -187,14 +205,24 @@
+ value="get_badcountries(1)">
+
+
+ DESC_REVERSE_MATCH
+
+
DESC_BADCOUNTRIES
@@ -203,7 +231,7 @@
+ value="get_srv_badcountries(1)">