| 1 |
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip |
| 2 |
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-28 06:07:15.053185349 +0200 |
| 3 |
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-28 06:17:00.655164126 +0200 |
| 4 |
@@ -1,18 +1,6 @@ |
| 5 |
# masq : drop from geoip countries |
| 6 |
{ |
| 7 |
- my $BC = $masq{BadCountries} || ''; |
| 8 |
- my $GP = $masq{GeoIP} || 'disabled'; |
| 9 |
- my $KERNEL = `/bin/uname -r`; |
| 10 |
- chomp($KERNEL); |
| 11 |
- my $PATH_MODULE = "/lib/modules/$KERNEL/extra/xt_geoip.ko"; |
| 12 |
- my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko"; |
| 13 |
- my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko"; |
| 14 |
- my $port; |
| 15 |
- my @locPorts; |
| 16 |
- my $servStatus; |
| 17 |
- my $locBC; |
| 18 |
- # to allow reload |
| 19 |
- $OUT .=<<'EOF'; |
| 20 |
+ $OUT .=<<'EOF'; |
| 21 |
# A blacklist chain for xtables-addons GEOIP |
| 22 |
/sbin/iptables --new-chain XTGeoIP |
| 23 |
/sbin/iptables --new-chain XTGeoIP_1 |
| 24 |
@@ -21,67 +9,4 @@ |
| 25 |
-j XTGeoIP |
| 26 |
EOF |
| 27 |
|
| 28 |
- if ($GP eq 'enabled') |
| 29 |
- { |
| 30 |
- if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE) |
| 31 |
- { |
| 32 |
- |
| 33 |
-# do not block LAN |
| 34 |
- my $locals = "@locals"; |
| 35 |
- if (@locals) |
| 36 |
- { |
| 37 |
- # Make a new local_chk chain and add any networks found in networks db |
| 38 |
- foreach my $local (@locals) |
| 39 |
- { |
| 40 |
- # If the network is a remote vpn subnet, restrict it to the ipsec0 |
| 41 |
- # interface. |
| 42 |
- my ($net, $msk) = split /\//, $local; |
| 43 |
- my $netrec = $nets->get($net); |
| 44 |
- die "Can't find network $net in networks db!\n" unless $netrec; |
| 45 |
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -s $local"; |
| 46 |
- if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes') |
| 47 |
- { |
| 48 |
- $OUT .= " --in-interface ipsec0"; |
| 49 |
- } |
| 50 |
- $OUT .= " -j RETURN\n"; |
| 51 |
- } |
| 52 |
- } |
| 53 |
- |
| 54 |
- ##adding here for service specific |
| 55 |
- |
| 56 |
- my @services = split(/,/, $masq{'XtServices'}); |
| 57 |
- foreach my $servName (@services) |
| 58 |
- { |
| 59 |
- $port = ${$servName}{'TCPPort'} || ''; |
| 60 |
- my $servStatus = ${$servName}{'status'} || 'disabled'; |
| 61 |
- my $servAccess = ${$servName}{'access'} || 'private'; |
| 62 |
- my $locBC = ${$servName}{'BadCountries'} || ''; |
| 63 |
- my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; |
| 64 |
- if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') { |
| 65 |
- push @locPorts, $port; |
| 66 |
- my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport"; |
| 67 |
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n"; |
| 68 |
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n"; |
| 69 |
- } |
| 70 |
- } |
| 71 |
- |
| 72 |
- # block for other or all should move there |
| 73 |
- if ($BC ne '') { |
| 74 |
- my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; |
| 75 |
- my $others = ( ( $masq{'XTGeoipOther'} || 'enabled') eq "disabled") ? 1 : 0; |
| 76 |
- @locPorts = () unless $others; |
| 77 |
- if (@locPorts != 0) { |
| 78 |
- my $LocPorts = join ',', @locPorts; |
| 79 |
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n"; |
| 80 |
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n"; |
| 81 |
- } else { |
| 82 |
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n"; |
| 83 |
- $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j DROP\n"; |
| 84 |
- } |
| 85 |
- } |
| 86 |
- $OUT .= " /sbin/iptables --append XTGeoIP_1" . |
| 87 |
- " -j RETURN\n"; |
| 88 |
- ## end of add |
| 89 |
- } else { $OUT .= " # module xt_geoip not found for current kernel\n"; } |
| 90 |
- } else { $OUT .= " # xt_geoip disabled\n"; } |
| 91 |
} |
| 92 |
diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip |
| 93 |
--- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-28 06:07:15.251185374 +0200 |
| 94 |
+++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-28 06:13:24.431170782 +0200 |
| 95 |
@@ -32,12 +32,12 @@ |
| 96 |
/sbin/iptables --new-chain $NEW_XTGeoIP |
| 97 |
EOF |
| 98 |
|
| 99 |
- if ($GP eq 'enabled' and $BC ne '') |
| 100 |
+ if ( $GP eq 'enabled' ) |
| 101 |
{ |
| 102 |
if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE) |
| 103 |
{ |
| 104 |
|
| 105 |
-# do not block LAN |
| 106 |
+ # do not block LAN |
| 107 |
my $locals = "@locals"; |
| 108 |
if (@locals) |
| 109 |
{ |
| 110 |
@@ -75,8 +75,8 @@ |
| 111 |
} |
| 112 |
} |
| 113 |
|
| 114 |
- # block for all or other ports should move there |
| 115 |
- if ($BC ne '') { |
| 116 |
+ # block for all or other ports should move there |
| 117 |
+ if ($BC ne '') { |
| 118 |
my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; |
| 119 |
my $others = ( ( $masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0; |
| 120 |
@locPorts = () unless $others; |
Parent Directory
| 
Revision Log
| 
Revision Graph
