smecontribs/smeserver-xt_geoip
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

xt_geoip 1.3.1-30.sme Fix syntax in masq template for [SME: 12445]

Browse Source
This commit is contained in:
John Crisp
2025-10-22 13:46:41 +02:00
parent 39a0598d79
commit daa56b9cc5
2 changed files with 77 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
View File

@@ -1,9 +1,9 @@
{ {
my $BC = $masq{BadCountries} || ''; my $BC = $masq{BadCountries} || '';
my $GP = $masq{GeoIP} || 'disabled'; my $GP = $masq{GeoIP} || 'disabled';
my $KERNEL = `/bin/uname -r`; my $KERNEL = `/bin/uname -r`;
chomp($KERNEL); chomp($KERNEL);
my $PATH_MODULE = "/lib/modules/$KERNEL/extra/xt_geoip.ko"; my $PATH_MODULE = "/lib/modules/$KERNEL/extra/xt_geoip.ko";
my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko"; my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko"; my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
my $port; my $port;
@@ -11,8 +11,8 @@
my $servStatus; my $servStatus;
my $locBC; my $locBC;
# to allow reload without locking just after initial install # to allow reload without locking just after initial install
$OUT .=<<'EOF'; $OUT .= <<'EOF';
iptables -n --list XTGeoIP >/dev/null 2>&1 iptables -n --list XTGeoIP >/dev/null 2>&1
test=$? test=$?
if [[ $test -eq 1 ]] ; then if [[ $test -eq 1 ]] ; then
@@ -26,96 +26,91 @@
EOF EOF
# Find the current XTGeoIP_$$ chain, and create a new one. # Find the current XTGeoIP_$$ chain, and create a new one.
$OUT .=<<'EOF'; $OUT .= <<'EOF';
OLD_XTGeoIP=$(get_safe_id XTGeoIP filter find) OLD_XTGeoIP=$(get_safe_id XTGeoIP filter find)
NEW_XTGeoIP=$(get_safe_id XTGeoIP filter new) NEW_XTGeoIP=$(get_safe_id XTGeoIP filter new)
/sbin/iptables --new-chain $NEW_XTGeoIP /sbin/iptables --new-chain $NEW_XTGeoIP
EOF EOF
if ( $GP eq 'enabled' ) if ($GP eq 'enabled') {
{ if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE) {
if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
{
# do not block Localhost(s) # do not block Localhost(s)
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s 127.0.0.0/24 -j RETURN\n"; $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s 127.0.0.0/24 -j RETURN\n";
# do not block LAN # do not block LAN
my $locals = "@locals"; my $locals = "@locals";
if (@locals)
{
# Make a new local_chk chain and add any networks found in networks db
foreach my $local (@locals)
{
# If the network is a remote vpn subnet, restrict it to the ipsec0
# interface.
my ($net, $msk) = split /\//, $local;
my $netrec = $nets->get($net);
die "Can't find network $net in networks db!\n" unless $netrec;
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local";
if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
{
$OUT .= " --in-interface ipsec0";
}
$OUT .= " -j RETURN\n";
}
}
# [SME: 12445] do not block Remote authorized access if (@locals) {
# TO DO : allow pin point per service eg this UK ip/network even if UK is filtered
(($masq{XTAcceptValidRemoteHosts} || 'enabled') eq 'enabled'){ # Make a new local_chk chain and add any networks found in networks db
foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){ foreach my $local (@locals) {
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $ip/$bits -j RETURN\n" unless "$ip" eq '0.0.0.0';
}
}
my @services = split(/,/, $masq{'XtServices'}); # If the network is a remote vpn subnet, restrict it to the ipsec0
# interface.
my ($net, $msk) = split /\//, $local;
my $netrec = $nets->get($net);
die "Can't find network $net in networks db!\n" unless $netrec;
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local";
foreach my $servName (@services) if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes') {
{ $OUT .= " --in-interface ipsec0";
$port = ${$servName}{'TCPPort'} || ''; }
my $servStatus = ${$servName}{'status'} || 'disabled'; $OUT .= " -j RETURN\n";
my $servAccess = ${$servName}{'access'} || 'private'; } ## end foreach my $local (@locals)
my $locBC = ${$servName}{'BadCountries'} || ''; } ## end if (@locals)
my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
push @locPorts, $port;
my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j NFLOG --nflog-prefix \"GeoIP BAN: $servName\"\n";
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
}
}
# block for all or other ports should move there # [SME: 12445] do not block Remote authorized access
if ($BC ne '') { # TO DO : allow pin point per service eg this UK ip/network even if UK is filtered
my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; if (($masq{XTAcceptValidRemoteHosts} || 'enabled') eq 'enabled') {
my $others = ( ( $masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0; foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')) {
@locPorts = () unless $others; my ($ip, $bits) = Net::IPv4Addr::ipv4_parse("$_");
if (@locPorts != 0) { $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $ip/$bits -j RETURN\n" unless "$ip" eq '0.0.0.0';
my $LocPorts = join ',', @locPorts;
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: OTHER\"\n";
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
} else {
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: ALL\"\n";
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
}
} }
$OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" . } ## end if (($masq{XTAcceptValidRemoteHosts...}))
" -j RETURN\n";
my @services = split(/,/, $masq{'XtServices'});
foreach my $servName (@services) {
$port = ${$servName}{'TCPPort'} || '';
my $servStatus = ${$servName}{'status'} || 'disabled';
my $servAccess = ${$servName}{'access'} || 'private';
my $locBC = ${$servName}{'BadCountries'} || '';
my $reverse = ((${$servName}{'XTGeoipRev'} || 'disabled') eq "enabled") ? "!" : "";
if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
push @locPorts, $port;
my $multi = ($port =~ /[,:]/) ? "-m multiport --dports" : "--dport";
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j NFLOG --nflog-prefix \"GeoIP BAN: $servName\"\n";
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
} ## end if ($port ne '' and $servStatus...)
} ## end foreach my $servName (@services)
# block for all or other ports should move there
if ($BC ne '') {
my $reverse = (($masq{'XTGeoipRev'} || 'disabled') eq "enabled") ? "!" : "";
my $others = (($masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0;
@locPorts = () unless $others;
if (@locPorts != 0) {
my $LocPorts = join ',', @locPorts;
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: OTHER\"\n";
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
} else {
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: ALL\"\n";
$OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
}
} ## end if ($BC ne '')
$OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" . " -j RETURN\n";
## end of add ## end of add
} ## end if (-s $PATH_MODULE ||...)
} } ## end if ($GP eq 'enabled')
}
# Having created a new XTGeoIP chain, activate it and destroy the old. # Having created a new XTGeoIP chain, activate it and destroy the old.
$OUT .=<<'EOF'; $OUT .= <<'EOF';
/sbin/iptables --replace XTGeoIP 1 \ /sbin/iptables --replace XTGeoIP 1 \
--jump $NEW_XTGeoIP --jump $NEW_XTGeoIP
/sbin/iptables --flush $OLD_XTGeoIP /sbin/iptables --flush $OLD_XTGeoIP
/sbin/iptables --delete-chain $OLD_XTGeoIP /sbin/iptables --delete-chain $OLD_XTGeoIP
EOF EOF
} }

6
smeserver-xt_geoip.spec
View File

@@ -1,6 +1,6 @@
%define name smeserver-xt_geoip %define name smeserver-xt_geoip
%define version 1.3.1 %define version 1.3.1
%define release 29 %define release 30
Summary: smserver rpm to setup database, update and configuration for xt_geoip module with a panel. Summary: smserver rpm to setup database, update and configuration for xt_geoip module with a panel.
Name: %{name} Name: %{name}
@@ -78,6 +78,10 @@ rm -rf %{name}-%{version}
%changelog %changelog
* Wed Oct 22 2025 John Crisp <jcrisp@safeandsoundit.co.uk> 1.3.1-30.sme
- Fix error in patch for [SME: 12445]
- Tidy template
* Tue Oct 21 2025 John Crisp <jcrisp@safeandsoundit.co.uk> 1.3.1-29.sme * Tue Oct 21 2025 John Crisp <jcrisp@safeandsoundit.co.uk> 1.3.1-29.sme
- Fix SmartMatch errors [SME: 13240] - Fix SmartMatch errors [SME: 13240]
- Fix panel errors [SME: 13173] - Fix panel errors [SME: 13173]