/[smecontribs]/rpms/smeserver-xt_geoip/contribs9/smeserver-xt_geoip-1.0.1-bz10760-per_serv2.patch
ViewVC logotype

Contents of /rpms/smeserver-xt_geoip/contribs9/smeserver-xt_geoip-1.0.1-bz10760-per_serv2.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (show annotations) (download)
Tue Jul 23 02:00:08 2019 UTC (4 years, 10 months ago) by jpp
Branch: MAIN
CVS Tags: smeserver-xt_geoip-1_0_1-15_el6_sme
Changes since 1.1: +0 -253 lines
* Tue Jul 23 2019 Jean-Philipe Pialasse <tests@pialasse.com> 1.0.1-15.sme
- improved per service filtering [SME: 10760]
- remove A1 forced as default and allow empty filter [SME: 10785]

1 diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries
2 --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2017-09-15 14:44:39.000000000 +0200
3 +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2019-07-23 02:54:03.000000000 +0200
4 @@ -1 +0,0 @@
5 -A1
6 diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip
7 --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.259411436 +0200
8 +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:20:21.597404763 +0200
9 @@ -197,4 +197,25 @@
10 <trans>Too many countries chosen: {$ctr}</trans>
11 </entry>
12
13 + <entry>
14 + <base>LABEL_REVERSE_MATCH</base>
15 + <trans>Reject if</trans>
16 + </entry>
17 +
18 + <entry>
19 + <base>DESC_REVERSE_MATCH</base>
20 + <trans>The following option allow to chose if you want reject visitors from the country list (==) which is the default behaviour, or if you want to only let them in (!=).</trans>
21 + </entry>
22 +
23 + <entry>
24 + <base>LABEL_OTHERS</base>
25 + <trans>General filter only for services without rules</trans>
26 + </entry>
27 +
28 + <entry>
29 + <base>DESC_OTHERS</base>
30 + <trans>Choose if you want to have the general filter to apply to all incoming connections or if you do not want to filter ports already defined with a specific service rule. This would allow you to have a service less restricted than the general rule if you enable this.</trans>
31 + </entry>
32 +
33 +
34 </lexicon>
35 diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
36 --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-23 03:16:53.270411434 +0200
37 +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-22 03:12:53.000000000 +0200
38 @@ -8,14 +8,10 @@
39 my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
40 my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
41 my $port;
42 - my $locPorts;
43 + my @locPorts;
44 my $servStatus;
45 my $locBC;
46 - if ($GP eq 'enabled')
47 - {
48 - if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
49 - {
50 - # to allow reload
51 + # to allow reload
52 $OUT .=<<'EOF';
53 # A blacklist chain for xtables-addons GEOIP
54 /sbin/iptables --new-chain XTGeoIP
55 @@ -24,8 +20,34 @@
56 /sbin/iptables --insert INPUT 1 \
57 -j XTGeoIP
58 EOF
59 +
60 + if ($GP eq 'enabled')
61 + {
62 + if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
63 + {
64 +
65 +# do not block LAN
66 + my $locals = "@locals";
67 + if (@locals)
68 + {
69 + # Make a new local_chk chain and add any networks found in networks db
70 + foreach my $local (@locals)
71 + {
72 + # If the network is a remote vpn subnet, restrict it to the ipsec0
73 + # interface.
74 + my ($net, $msk) = split /\//, $local;
75 + my $netrec = $nets->get($net);
76 + die "Can't find network $net in networks db!\n" unless $netrec;
77 + $OUT .= " /sbin/iptables -A XTGeoIP_1 -s $local";
78 + if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
79 + {
80 + $OUT .= " --in-interface ipsec0";
81 + }
82 + $OUT .= " -j RETURN\n";
83 + }
84 + }
85 +
86 ##adding here for service specific
87 - $locPorts='';
88
89 my @services = split(/,/, $masq{'XtServices'});
90 foreach my $servName (@services)
91 @@ -34,22 +56,27 @@
92 my $servStatus = ${$servName}{'status'} || 'disabled';
93 my $servAccess = ${$servName}{'access'} || 'private';
94 my $locBC = ${$servName}{'BadCountries'} || '';
95 + my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
96 if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
97 - $locPorts .= "$port,";
98 - $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
99 - $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
100 + push @locPorts, $port;
101 + my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
102 + $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
103 + $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
104 }
105 }
106
107 # block for other or all should move there
108 if ($BC ne '') {
109 - if ($locPorts ne '') {
110 - $locPorts = substr $locPorts, 0, -1;
111 - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
112 - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
113 + my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
114 + my $others = ( ( $masq{'XTGeoipOther'} || 'enabled') eq "disabled") ? 1 : 0;
115 + @locPorts = () unless $others;
116 + if (@locPorts != 0) {
117 + my $LocPorts = join ',', @locPorts;
118 + $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
119 + $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
120 } else {
121 - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
122 - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j DROP\n";
123 + $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
124 + $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
125 }
126 }
127 $OUT .= " /sbin/iptables --append XTGeoIP_1" .
128 diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
129 --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-23 03:16:53.293411435 +0200
130 +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-22 00:35:29.000000000 +0200
131 @@ -7,11 +7,11 @@
132 my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
133 my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
134 my $port;
135 - my $locPorts;
136 + my @locPorts;
137 my $servStatus;
138 my $locBC;
139
140 - # to allow reload without locking just after initial install
141 + # to allow reload without locking just after initial install
142 $OUT .=<<'EOF';
143 iptables -n --list XTGeoIP >/dev/null 2>&1
144 test=$?
145 @@ -36,8 +36,28 @@
146 {
147 if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
148 {
149 - # add content here
150 - $locPorts = '';
151 +
152 +# do not block LAN
153 + my $locals = "@locals";
154 + if (@locals)
155 + {
156 + # Make a new local_chk chain and add any networks found in networks db
157 + foreach my $local (@locals)
158 + {
159 + # If the network is a remote vpn subnet, restrict it to the ipsec0
160 + # interface.
161 + my ($net, $msk) = split /\//, $local;
162 + my $netrec = $nets->get($net);
163 + die "Can't find network $net in networks db!\n" unless $netrec;
164 + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local";
165 + if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
166 + {
167 + $OUT .= " --in-interface ipsec0";
168 + }
169 + $OUT .= " -j RETURN\n";
170 + }
171 + }
172 +
173 my @services = split(/,/, $masq{'XtServices'});
174
175 foreach my $servName (@services)
176 @@ -46,33 +66,27 @@
177 my $servStatus = ${$servName}{'status'} || 'disabled';
178 my $servAccess = ${$servName}{'access'} || 'private';
179 my $locBC = ${$servName}{'BadCountries'} || '';
180 + my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
181 if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
182 - $locPorts .= "$port,";
183 - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
184 - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
185 + push @locPorts, $port;
186 + my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
187 + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
188 + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
189 }
190 }
191
192 - ##adding here for service specific
193 - # imaps 993
194 - #$locBC = $imaps{BadCountries} || '';
195 - #$servStatus = $imaps{'status'} || 'disabled';
196 - #$port = $imaps{'TCPPort'} || '993';
197 - #if ($servStatus eq 'enabled' and $locBC ne '') {
198 - # $locPorts .= "${port},";
199 - # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: IMAPS\"\n";
200 - # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
201 - #}
202 -
203 # block for all or other ports should move there
204 if ($BC ne '') {
205 - if ($locPorts ne '') {
206 - $locPorts = substr $locPorts, 0, -1;
207 - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
208 - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
209 + my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
210 + my $others = ( ( $masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0;
211 + @locPorts = () unless $others;
212 + if (@locPorts != 0) {
213 + my $LocPorts = join ',', @locPorts;
214 + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
215 + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
216 } else {
217 - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
218 - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j DROP\n";
219 + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
220 + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
221 }
222 }
223 $OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" .
224 diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip
225 --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.279411436 +0200
226 +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 02:18:09.000000000 +0200
227 @@ -81,7 +81,7 @@
228 <field
229 type="literal"
230 id="badcountries"
231 - value="get_badcountries()">
232 + value="get_badcountries(1)">
233 <label>LABEL_BADCOUNTRIES_STATUS</label>
234 </field>
235
236 @@ -102,7 +102,6 @@
237 <field type="literal" id="service_label" value="">
238 <description>SERVICE_DESCRIPTION</description>
239 </field>
240 -
241 <subroutine src="print_custom_button('PER_SERVICE_GEOIP', 'Service', '')"/>
242
243 <field type="literal" id="stats_label" value="">
244 @@ -128,10 +127,20 @@
245 <description>DESC_GEOIP</description>
246 </field>
247
248 + <field
249 + type="select"
250 + id="masq_reverse"
251 + options="'enabled' => '!=', 'disabled' => '=='"
252 + value="get_reverse('masq','XTGeoipRev')">
253 + <label>LABEL_REVERSE_MATCH</label>
254 + <description>DESC_REVERSE_MATCH</description>
255 + </field>
256 +
257 <field
258 type="text"
259 id="masq_badcountries"
260 size="64"
261 + value="get_badcountries(0)"
262 validation="must_exist()">
263 <label>LABEL_BADCOUNTRIES</label>
264 <description>DESC_BADCOUNTRIES</description>
265 @@ -140,9 +149,18 @@
266 <field
267 type="literal"
268 id="badcountries"
269 - value="get_badcountries()">
270 + value="get_badcountries(1)">
271 <label>LABEL_BADCOUNTRIES_STATUS</label>
272 </field>
273 +
274 + <field
275 + type="select"
276 + id="masq_others"
277 + options="'enabled' => 'enabled', 'disabled' => 'disabled'"
278 + value="get_reverse('masq','XTGeoipOther')">
279 + <label>LABEL_OTHERS</label>
280 + <description>DESC_OTHERS</description>
281 + </field>
282
283 <field
284 type="select"
285 @@ -163,7 +181,7 @@
286 <field
287 type="literal"
288 id="badcountries"
289 - value="get_badcountries()">
290 + value="get_badcountries(1)">
291 <label>LABEL_BADCOUNTRIES_STATUS</label>
292 </field>
293 <subroutine src="print_service_table()" />
294 @@ -187,14 +205,24 @@
295 <field
296 type="literal"
297 id="badcountries"
298 - value="get_badcountries()">
299 + value="get_badcountries(1)">
300 <label>LABEL_BADCOUNTRIES_STATUS</label>
301 </field>
302
303 + <field
304 + type="select"
305 + id="masq_srv_reverse"
306 + options="'enabled' => '!=', 'disabled' => '=='"
307 + value="get_reverse('','XTGeoipRev')">
308 + <label>LABEL_REVERSE_MATCH</label>
309 + <description>DESC_REVERSE_MATCH</description>
310 + </field>
311 +
312 <field
313 type="text"
314 id="masq_srv_badcountries"
315 size="64"
316 + value="get_srv_badcountries(0)"
317 validation="srv_must_exist()">
318 <label>LABEL_BADCOUNTRIES</label>
319 <description>DESC_BADCOUNTRIES</description>
320 @@ -203,7 +231,7 @@
321 <field
322 type="literal"
323 id="srv_badcountries"
324 - value="get_srv_badcountries()">
325 + value="get_srv_badcountries(1)">
326 <label>LABEL_SERV_BADCOUNTRIES_STATUS</label>
327 </field>
328

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed