my $configinput = "${General::swroot}/firewall/input";
my $configoutgoing = "${General::swroot}/firewall/outgoing";
my $p2pfile = "${General::swroot}/firewall/p2protocols";
+my $geoipfile = "${General::swroot}/firewall/geoipblock";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $netsettings = "${General::swroot}/ethernet/settings";
# Load P2P block rules.
&p2pblock();
+ # Load GeoIP block rules.
+ &geoipblock();
+
# Reload firewall policy.
run("/usr/sbin/firewall-policy");
my @source_options = ();
if ($source =~ /mac/) {
push(@source_options, $source);
- } elsif ($source) {
+ } elsif ($source =~ /-m geoip/) {
+ push(@source_options, $source);
+ } elsif($source) {
push(@source_options, ("-s", $source));
}
# Prepare destination options.
my @destination_options = ();
- if ($destination) {
+ if ($destination =~ /-m geoip/) {
+ push(@destination_options, $destination);
+ } elsif ($destination) {
push(@destination_options, ("-d", $destination));
}
}
}
+sub geoipblock {
+ my %geoipsettings = ();
+
+ # Check if the geoip settings file exists
+ if (-e "$geoipfile") {
+ # Read settings file
+ &General::readhash("$geoipfile", \%geoipsettings);
+ } else {
+ # Exit submodule, go on processing the remaining script
+ return;
+ }
+
+ # If geoip blocking is not enabled, we are finished here.
+ if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
+ # Exit submodule. Process remaining script.
+ return;
+ }
+
+ # Get supported locations.
+ my @locations = &fwlib::get_geoip_locations();
+
+ # Create iptables chain.
+ run("$IPTABLES -F GEOIPBLOCK");
+
+ # Loop through all supported geoip locations and
+ # create iptables rules, if blocking this country
+ # is enabled.
+ foreach my $location (@locations) {
+ if($geoipsettings{$location} eq "on") {
+ run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
+ }
+ }
+}
+
sub get_protocols {
my $hash = shift;
my $key = shift;