webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'stevee/core-90-geoip' into next

Browse Source
This commit is contained in:
Michael Tremer
2015-04-18 16:15:17 +02:00
parent d54a2ce452 db5b5de9a9
commit 49b70d62a9
36 changed files with 1669 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/initscripts/init.d/firewall
View File

@@ -179,6 +179,11 @@ iptables_init() {
iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
fi
# GeoIP block
iptables -N GEOIPBLOCK
iptables -A INPUT -j GEOIPBLOCK
iptables -A FORWARD -j GEOIPBLOCK
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
iptables -N IPSECINPUT
iptables -N IPSECFORWARD

23
src/initscripts/init.d/networking/red.up/99-geoip-database Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
# Get the GeoIP database if no one exists yet.
DIR="/usr/share/xt_geoip/*"
found=false
# Check if the directory contains any data.
for i in $DIR; do
# Ignore "." and ".."
if [ -d "$i" ]; then
found=true
break
fi
done
# Download ruleset if none has been found.
if ! ${found}; then
/usr/local/bin/xt_geoip_update >/dev/null 2>&1
fi
exit 0

89
src/scripts/xt_geoip_build Normal file
View File

@@ -0,0 +1,89 @@
#!/usr/bin/perl
#
# Converter for MaxMind CSV database to binary, for xt_geoip
# Copyright © Jan Engelhardt, 2008-2011
#
use Getopt::Long;
use IO::Handle;
use Text::CSV_XS; # or trade for Text::CSV
use strict;
my $csv = Text::CSV_XS->new({
allow_whitespace => 1,
binary => 1,
eol => $/,
}); # or Text::CSV
my $target_dir = ".";
&Getopt::Long::Configure(qw(bundling));
&GetOptions(
"D=s" => \$target_dir,
);
if (!-d $target_dir) {
print STDERR "Target directory $target_dir does not exist.\n";
exit 1;
}
my $dir = "$target_dir/LE";
if (!-e $dir && !mkdir($dir)) {
print STDERR "Could not mkdir $dir: $!\n";
exit 1;
}
&dump(&collect());
sub collect
{
my %country;
while (my $row = $csv->getline(*ARGV)) {
if (!defined($country{$row->[4]})) {
$country{$row->[4]} = {
name => $row->[5],
pool_v4 => [],
pool_v6 => [],
};
}
my $c = $country{$row->[4]};
push(@{$c->{pool_v4}}, [$row->[2], $row->[3]]);
if ($. % 4096 == 0) {
print STDERR "\r\e[2K$. entries";
}
}
print STDERR "\r\e[2K$. entries total\n";
return \%country;
}
sub dump
{
my $country = shift @_;
foreach my $iso_code (sort keys %$country) {
&dump_one($iso_code, $country->{$iso_code});
}
}
sub dump_one
{
my($iso_code, $country) = @_;
my($file, $fh_le, $fh_be);
printf "%5u IPv4 ranges for %s %s\n",
scalar(@{$country->{pool_v4}}),
$iso_code, $country->{name};
$file = "$target_dir/LE/".uc($iso_code).".iv4";
if (!open($fh_le, "> $file")) {
print STDERR "Error opening $file: $!\n";
exit 1;
}
foreach my $range (@{$country->{pool_v4}}) {
print $fh_le pack("VV", $range->[0], $range->[1]);
#print $fh_be pack("NN", $range->[0], $range->[1]);
}
close $fh_le;
}

137
src/scripts/xt_geoip_update Normal file
View File

@@ -0,0 +1,137 @@
#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2014 IPFire Development Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
TMP_PATH=$(mktemp -d)
TMP_FILE=$(mktemp -p $TMP_PATH)
SCRIPT_PATH=/usr/local/bin
DEST_PATH=/usr/share/xt_geoip
DL_URL=http://geolite.maxmind.com/download/geoip/database
DL_FILE=GeoIPCountryCSV.zip
CSV_FILE=GeoIPCountryWhois.csv
ARCH=LE
eval $(/usr/local/bin/readhash /var/ipfire/proxy/settings)
function download() {
echo "Downloading latest GeoIP ruleset..."
# Create temporary directory.
mkdir -pv $TMP_PATH
# Proxy settings.
# Check if a proxy should be used.
if [[ $UPSTREAM_PROXY ]]; then
PROXYSETTINGS="-e http_proxy=http://"
# Check if authentication against the proxy is configured.
if [[ $UPSTREAM_USER && $UPSTREAM_PASSWORD ]]; then
PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_USER:$UPSTREAM_PASSWORD@"
fi
# Add proxy server.
PROXYSETTINGS="$PROXYSETTINGS$UPSTREAM_PROXY"
fi
# Get the latest GeoIP database from server.
wget $DL_URL/$DL_FILE $PROXYSETTINGS -O $TMP_FILE
# Extract files.
unzip $TMP_FILE -d $TMP_PATH
return 0
}
function build() {
echo "Convert database..."
# Check if the csv file exists.
if [ ! -e $TMP_PATH/$CSV_FILE ]; then
echo "$TMP_PATH/$CSV_FILE not found. Exiting."
return 1
fi
# Run script to convert the CSV file into several xtables
# compatible binary files.
if ! $SCRIPT_PATH/xt_geoip_build $TMP_PATH/$CSV_FILE -D $TMP_PATH; then
echo "Could not convert ruleset. Aborting." >&2
return 1
fi
return 0
}
function install() {
echo "Install databases..."
# Check if our destination exist.
if [ ! -e "$DEST_PATH" ]; then
mkdir -p $DEST_PATH &>/dev/null
fi
# Install databases.
if ! cp -af $TMP_PATH/$ARCH $DEST_PATH &>/dev/null; then
echo "Could not copy files. Aborting." >&2
return 1
fi
return 0
}
function cleanup() {
echo "Cleaning up temporary files..."
if ! rm -rf $TMP_PATH &>/dev/null; then
echo "Could not remove files. Aborting." >&2
return 1
fi
return 0
}
function main() {
# Download ruleset.
download || exit $?
# Convert the ruleset.
if ! build; then
# Do cleanup.
cleanup || exit $?
exit 1
fi
# Install the converted ruleset.
if ! install; then
# Do cleanup.
cleanup || exit $?
exit 1
fi
# Finaly remove temporary files.
cleanup || exit $?
return 0
}
# Run the main function.
main