X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=config%2Ffirewall%2Frules.pl;h=daa95651bbecaf02d70bf143856dd6546f082c29;hb=f09f3fd8819de0565c6ac73048b0dcfcff0c75ec;hp=8abc675f7f6f8d5693598ade0523748a5b20f20d;hpb=c98cc4ae90643b9a43431be5de7d821c110267c0;p=ipfire-2.x.git diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl old mode 100755 new mode 100644 index 8abc675f7f..daa95651bb --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -60,6 +60,7 @@ my $configfwdfw = "${General::swroot}/firewall/config"; my $configinput = "${General::swroot}/firewall/input"; my $configoutgoing = "${General::swroot}/firewall/outgoing"; my $p2pfile = "${General::swroot}/firewall/p2protocols"; +my $geoipfile = "${General::swroot}/firewall/geoipblock"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -102,6 +103,9 @@ sub main { # Load P2P block rules. &p2pblock(); + # Load GeoIP block rules. + &geoipblock(); + # Reload firewall policy. run("/usr/sbin/firewall-policy"); @@ -365,13 +369,17 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source); - } elsif ($source) { + } elsif ($source =~ /-m geoip/) { + push(@source_options, $source); + } elsif($source) { push(@source_options, ("-s", $source)); } # Prepare destination options. my @destination_options = (); - if ($destination) { + if ($destination =~ /-m geoip/) { + push(@destination_options, $destination); + } elsif ($destination) { push(@destination_options, ("-d", $destination)); } @@ -570,6 +578,38 @@ sub p2pblock { } } +sub geoipblock { + my %geoipsettings = (); + $geoipsettings{'GEOIPBLOCK_ENABLED'} = "off"; + + # Flush iptables chain. + run("$IPTABLES -F GEOIPBLOCK"); + + # Check if the geoip settings file exists + if (-e "$geoipfile") { + # Read settings file + &General::readhash("$geoipfile", \%geoipsettings); + } + + # If geoip blocking is not enabled, we are finished here. + if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") { + # Exit submodule. Process remaining script. + return; + } + + # Get supported locations. + my @locations = &fwlib::get_geoip_locations(); + + # Loop through all supported geoip locations and + # create iptables rules, if blocking this country + # is enabled. + foreach my $location (@locations) { + if($geoipsettings{$location} eq "on") { + run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP"); + } + } +} + sub get_protocols { my $hash = shift; my $key = shift;