From: Stefan Schantl Date: Sun, 4 Jan 2015 00:05:45 +0000 (+0100) Subject: firewall: Add support for geoipblock to rules.pl. X-Git-Tag: v2.17-core91~128^2~6^2~12^2~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=211694e588cf65dba21b6f9eb32f1ca7fd4520eb;p=people%2Fstevee%2Fipfire-2.x.git firewall: Add support for geoipblock to rules.pl. --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl old mode 100755 new mode 100644 index 75a9357f64..834e248716 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -60,6 +60,7 @@ my $configfwdfw = "${General::swroot}/firewall/config"; my $configinput = "${General::swroot}/firewall/input"; my $configoutgoing = "${General::swroot}/firewall/outgoing"; my $p2pfile = "${General::swroot}/firewall/p2protocols"; +my $geoipfile = "${General::swroot}/firewall/geoipblock"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -94,6 +95,9 @@ sub main { # Load P2P block rules. &p2pblock(); + # Load GeoIP block rules. + &geoipblock(); + # Reload firewall policy. run("/usr/sbin/firewall-policy"); } @@ -570,6 +574,40 @@ sub p2pblock { } } +sub geoipblock { + my %geoipsettings = (); + + # Check if the geoip settings file exists + if (-e "$geoipfile") { + # Read settings file + &General::readhash("$geoipfile", \%geoipsettings); + } else { + # Exit submodule, go on processing the remaining script + return; + } + + # If geoip blocking is not enabled, we are finished here. + if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") { + # Exit submodule. Process remaining script. + return; + } + + # Get supported locations. + my @locations = &fwlib::get_geoip_locations(); + + # Create iptables chain. + run("$IPTABLES -F GEOIPBLOCK"); + + # Loop through all supported geoip locations and + # create iptables rules, if blocking this country + # is enabled. + foreach my $location (@locations) { + if($geoipsettings{$location} eq "on") { + run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP"); + } + } +} + sub get_protocols { my $hash = shift; my $key = shift;