diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-28 06:07:15.053185349 +0200 +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-28 06:17:00.655164126 +0200 @@ -1,18 +1,6 @@ # masq : drop from geoip countries { - my $BC = $masq{BadCountries} || ''; - my $GP = $masq{GeoIP} || 'disabled'; - my $KERNEL = `/bin/uname -r`; - chomp($KERNEL); - my $PATH_MODULE = "/lib/modules/$KERNEL/extra/xt_geoip.ko"; - my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko"; - my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko"; - my $port; - my @locPorts; - my $servStatus; - my $locBC; - # to allow reload - $OUT .=<<'EOF'; + $OUT .=<<'EOF'; # A blacklist chain for xtables-addons GEOIP /sbin/iptables --new-chain XTGeoIP /sbin/iptables --new-chain XTGeoIP_1 @@ -21,67 +9,4 @@ -j XTGeoIP EOF - if ($GP eq 'enabled') - { - if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE) - { - -# do not block LAN - my $locals = "@locals"; - if (@locals) - { - # Make a new local_chk chain and add any networks found in networks db - foreach my $local (@locals) - { - # If the network is a remote vpn subnet, restrict it to the ipsec0 - # interface. - my ($net, $msk) = split /\//, $local; - my $netrec = $nets->get($net); - die "Can't find network $net in networks db!\n" unless $netrec; - $OUT .= " /sbin/iptables -A XTGeoIP_1 -s $local"; - if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes') - { - $OUT .= " --in-interface ipsec0"; - } - $OUT .= " -j RETURN\n"; - } - } - - ##adding here for service specific - - my @services = split(/,/, $masq{'XtServices'}); - foreach my $servName (@services) - { - $port = ${$servName}{'TCPPort'} || ''; - my $servStatus = ${$servName}{'status'} || 'disabled'; - my $servAccess = ${$servName}{'access'} || 'private'; - my $locBC = ${$servName}{'BadCountries'} || ''; - my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; - if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') { - push @locPorts, $port; - my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport"; - $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n"; - $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n"; - } - } - - # block for other or all should move there - if ($BC ne '') { - my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; - my $others = ( ( $masq{'XTGeoipOther'} || 'enabled') eq "disabled") ? 1 : 0; - @locPorts = () unless $others; - if (@locPorts != 0) { - my $LocPorts = join ',', @locPorts; - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n"; - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n"; - } else { - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n"; - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j DROP\n"; - } - } - $OUT .= " /sbin/iptables --append XTGeoIP_1" . - " -j RETURN\n"; - ## end of add - } else { $OUT .= " # module xt_geoip not found for current kernel\n"; } - } else { $OUT .= " # xt_geoip disabled\n"; } } diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-28 06:07:15.251185374 +0200 +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-28 06:13:24.431170782 +0200 @@ -32,12 +32,12 @@ /sbin/iptables --new-chain $NEW_XTGeoIP EOF - if ($GP eq 'enabled' and $BC ne '') + if ( $GP eq 'enabled' ) { if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE) { -# do not block LAN + # do not block LAN my $locals = "@locals"; if (@locals) { @@ -75,8 +75,8 @@ } } - # block for all or other ports should move there - if ($BC ne '') { + # block for all or other ports should move there + if ($BC ne '') { my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; my $others = ( ( $masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0; @locPorts = () unless $others;