initial commit of file from CVS for smeserver-xt_geoip on Sat Sep 7 16:46:09 AEST 2024

2024-09-07 16:46:09 +10:00
parent 6a9aa6baf5
commit 23a0172ede
71 changed files with 10915 additions and 2 deletions
--- a/root/etc/e-smith/templates/etc/crontab/xt_geoip
+++ b/root/etc/e-smith/templates/etc/crontab/xt_geoip
@@ -0,0 +1,13 @@
+{
+my $output = ( ($masq{'XTlogmail'} || "disabled") eq "disabled" )?  ">/dev/null" : "";
+
+$OUT .= "
+#       saturday at 06:00 update xtables geoip base
+00 06 * * 6 root /usr/share/xt_geoip/update_base $output
+45 1 * * * root /usr/share/xt_geoip/geoip_stats f2b $output
+50 1 * * * root /usr/share/xt_geoip/geoip_stats ssh $output
+55 1 * * * root /usr/share/xt_geoip/geoip_stats ipt $output
+05 2 * * * root /usr/share/xt_geoip/geoip_listat $output
+#
+";
+}
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
@@ -0,0 +1,12 @@
+# masq : drop from geoip countries
+{
+  $OUT .=<<'EOF';
+   # A blacklist chain for xtables-addons GEOIP
+    /sbin/iptables --new-chain XTGeoIP
+    /sbin/iptables --new-chain XTGeoIP_1
+    /sbin/iptables --append XTGeoIP -j XTGeoIP_1
+    /sbin/iptables --insert INPUT 1 \
+       -j XTGeoIP
+EOF
+
+}
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
@@ -0,0 +1,111 @@
+{
+    my $BC = $masq{BadCountries} || '';
+    my $GP = $masq{GeoIP} || 'disabled';
+    my $KERNEL = `/bin/uname -r`;
+    chomp($KERNEL);
+    my $PATH_MODULE = "/lib/modules/$KERNEL/extra/xt_geoip.ko";
+    my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
+    my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
+    my $port;
+    my @locPorts;
+    my $servStatus;
+    my $locBC;
+
+   # to allow reload  without locking  just after initial  install   
+   $OUT .=<<'EOF';
+   iptables -n --list XTGeoIP >/dev/null 2>&1
+   test=$?
+   if [[ $test -eq 1 ]] ; then
+   # A blacklist chain for xtables-addons GEOIP
+    /sbin/iptables --new-chain XTGeoIP
+    /sbin/iptables --new-chain XTGeoIP_1
+    /sbin/iptables --append XTGeoIP -j XTGeoIP_1
+    /sbin/iptables --insert INPUT 1 \
+       -j XTGeoIP
+   fi
+EOF
+
+    # Find the current XTGeoIP_$$ chain, and create a new one.
+    $OUT .=<<'EOF';
+    OLD_XTGeoIP=$(get_safe_id XTGeoIP filter find)
+    NEW_XTGeoIP=$(get_safe_id XTGeoIP filter new)
+    /sbin/iptables --new-chain $NEW_XTGeoIP
+EOF
+
+    if ( $GP eq 'enabled' )
+    {
+        if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
+        {
+
+    # do not block Localhost(s)
+    $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s 127.0.0.0/24 -j RETURN\n";
+
+    # do not block LAN
+    my $locals = "@locals";
+    if (@locals)
+    {
+        # Make a new local_chk chain and add any networks found in networks db
+        foreach my $local (@locals)
+        {
+            # If the network is a remote vpn subnet, restrict it to the ipsec0
+            # interface.
+            my ($net, $msk) = split /\//, $local;
+            my $netrec = $nets->get($net);
+            die "Can't find network $net in networks db!\n" unless $netrec;
+            $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s $local";
+            if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
+            {
+                $OUT .= " --in-interface ipsec0";
+            }
+            $OUT .= " -j RETURN\n";
+        }
+    }
+
+	my @services = split(/,/, $masq{'XtServices'});
+	
+	foreach my $servName (@services) 
+	{
+    	    $port = ${$servName}{'TCPPort'} || '';
+    	    my $servStatus = ${$servName}{'status'} || 'disabled';
+    	    my $servAccess = ${$servName}{'access'} || 'private';
+    	    my $locBC = ${$servName}{'BadCountries'} || '';
+            my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!":  "";
+    	    if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
+                push  @locPorts, $port;
+		my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
+                $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
+                $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
+    	    }
+	}
+
+   # block for all or other ports should move there
+   if ($BC ne '') {
+	            my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!":  "";
+        	    my $others = ( ( $masq{'XTGeoipOther'}  || 'disabled') eq "enabled") ? 1 : 0;
+        	    @locPorts = () unless $others;
+            	    if (@locPorts != 0) {
+            		my $LocPorts = join ',', @locPorts;
+                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
+                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts  $reverse --src-cc $BC -j DROP\n";
+		    } else {
+                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
+                        $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
+            	    }
+                }
+                $OUT .= "    /sbin/iptables --append  \$NEW_XTGeoIP" .
+                " -j RETURN\n";
+            ## end of add
+
+        }
+    }
+
+
+    # Having created a new XTGeoIP chain, activate it and destroy the old.
+    $OUT .=<<'EOF';
+    /sbin/iptables --replace XTGeoIP 1 \
+            --jump $NEW_XTGeoIP
+    /sbin/iptables --flush $OLD_XTGeoIP
+    /sbin/iptables --delete-chain $OLD_XTGeoIP
+EOF
+
+}