From 211694e588cf65dba21b6f9eb32f1ca7fd4520eb Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sun, 4 Jan 2015 01:05:45 +0100
Subject: [PATCH] firewall: Add support for geoipblock to rules.pl.

---
 config/firewall/rules.pl | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 mode change 100755 => 100644 config/firewall/rules.pl

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
old mode 100755
new mode 100644
index 75a9357f64..834e248716
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -60,6 +60,7 @@ my $configfwdfw		= "${General::swroot}/firewall/config";
 my $configinput	    = "${General::swroot}/firewall/input";
 my $configoutgoing  = "${General::swroot}/firewall/outgoing";
 my $p2pfile			= "${General::swroot}/firewall/p2protocols";
+my $geoipfile		= "${General::swroot}/firewall/geoipblock";
 my $configgrp		= "${General::swroot}/fwhosts/customgroups";
 my $netsettings		= "${General::swroot}/ethernet/settings";
 
@@ -94,6 +95,9 @@ sub main {
 	# Load P2P block rules.
 	&p2pblock();
 
+	# Load GeoIP block rules.
+	&geoipblock();
+
 	# Reload firewall policy.
 	run("/usr/sbin/firewall-policy");
 }
@@ -570,6 +574,40 @@ sub p2pblock {
 	}
 }
 
+sub geoipblock {
+	my %geoipsettings = ();
+
+	# Check if the geoip settings file exists
+	if (-e "$geoipfile") {
+		# Read settings file
+		&General::readhash("$geoipfile", \%geoipsettings);
+	} else {
+		# Exit submodule, go on processing the remaining script
+		return;
+	}
+
+	# If geoip blocking is not enabled, we are finished here.
+	if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
+		# Exit submodule. Process remaining script.
+		return;
+	}
+
+	# Get supported locations.
+	my @locations = &fwlib::get_geoip_locations();
+
+	# Create iptables chain.
+	run("$IPTABLES -F GEOIPBLOCK");
+
+	# Loop through all supported geoip locations and
+	# create iptables rules, if blocking this country
+	# is enabled.
+	foreach my $location (@locations) {
+		if($geoipsettings{$location} eq "on") {
+			run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
+		}
+	}
+}
+
 sub get_protocols {
 	my $hash = shift;
 	my $key = shift;
-- 
2.39.5