Merge branch 'seventeen-geoip' into next-geoip

config/firewall/firewall-lib.pl

@@ -27,6 +27,7 @@ package fwlib;
 my %customnetwork=();
 my %customhost=();
 my %customgrp=();
+my %customgeoipgrp=();
 my %customservice=();
 my %customservicegrp=();
 my %ccdnet=();
@@ -42,6 +43,7 @@ require '/var/ipfire/general-functions.pl';
 my $confignet		= "${General::swroot}/fwhosts/customnetworks";
 my $confighost		= "${General::swroot}/fwhosts/customhosts";
 my $configgrp 		= "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp 	= "${General::swroot}/fwhosts/customgeoipgrp";
 my $configsrv 		= "${General::swroot}/fwhosts/customservices";
 my $configsrvgrp	= "${General::swroot}/fwhosts/customservicegrp";
 my $configccdnet 	= "${General::swroot}/ovpn/ccd.conf";
@@ -59,6 +61,7 @@ my $netsettings		= "${General::swroot}/ethernet/settings";
 &General::readhasharray("$confignet", \%customnetwork);
 &General::readhasharray("$confighost", \%customhost);
 &General::readhasharray("$configgrp", \%customgrp);
+&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
 &General::readhasharray("$configccdnet", \%ccdnet);
 &General::readhasharray("$configccdhost", \%ccdhost);
 &General::readhasharray("$configipsec", \%ipsecconf);
@@ -295,6 +298,17 @@ sub get_addresses
 			if ($customgrp{$grp}[0] eq $value) {
 				my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
 
+				if (@address) {
+					push(@addresses, @address);
+				}
+			}
+		}
+	}elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
+		$value=substr($value,6);
+		foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
+			if ($customgeoipgrp{$grp}[0] eq $value) {
+				my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
+
 				if (@address) {
 					push(@addresses, @address);
 				}
@@ -414,6 +428,20 @@ sub get_address
 			}
 		}
 
+	# Handle rule options with GeoIP as source.
+	} elsif ($key eq "cust_geoip_src") {
+		# Get external interface.
+		my $external_interface = &get_external_interface();
+
+		push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+
+	# Handle rule options with GeoIP as target.
+	} elsif ($key eq "cust_geoip_tgt") {
+		# Get external interface.
+		my $external_interface = &get_external_interface();
+
+		push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+
 	# If nothing was selected, we assume "any".
 	} else {
 		push(@ret, ["0/0", ""]);
@@ -552,4 +580,37 @@ sub get_internal_firewall_ip_address
 	return 0;
 }
 
+sub get_geoip_locations() {
+	# Path to the directory which contains the binary geoip
+	# databases.
+	my $directory="/usr/share/xt_geoip/LE";
+
+	# Array to store the final country list.
+	my @country_codes = ();
+
+	# Open location and do a directory listing.
+	opendir(DIR, "$directory");
+	my @locations = readdir(DIR);
+	closedir(DIR);
+
+	# Loop through the directory listing, and cut of the file extensions.
+	foreach my $location (sort @locations) {
+		# skip . and ..
+		next if($location =~ /^\.$/);
+		next if($location =~ /^\.\.$/);
+
+		# Remove whitespaces.
+		chomp($location);
+
+		# Cut-off file extension.
+		my ($country_code, $extension) = split(/\./, $location);
+
+		# Add country code to array.
+		push(@country_codes, $country_code);
+	}
+
+	# Return final array.
+	return @country_codes;
+}
+
 return 1;

config/firewall/geoipblock

@@ -0,0 +1 @@
+GEOIPBLOCK_ENABLED=off

config/firewall/rules.pl

@@ -60,6 +60,7 @@ my $configfwdfw		= "${General::swroot}/firewall/config";
 my $configinput	    = "${General::swroot}/firewall/input";
 my $configoutgoing  = "${General::swroot}/firewall/outgoing";
 my $p2pfile			= "${General::swroot}/firewall/p2protocols";
+my $geoipfile		= "${General::swroot}/firewall/geoipblock";
 my $configgrp		= "${General::swroot}/fwhosts/customgroups";
 my $netsettings		= "${General::swroot}/ethernet/settings";
 
@@ -102,6 +103,9 @@ sub main {
 	# Load P2P block rules.
 	&p2pblock();
 
+	# Load GeoIP block rules.
+	&geoipblock();
+
 	# Reload firewall policy.
 	run("/usr/sbin/firewall-policy");
 
@@ -365,13 +369,17 @@ sub buildrules {
 					my @source_options = ();
 					if ($source =~ /mac/) {
 						push(@source_options, $source);
-					} elsif ($source) {
+					} elsif ($source =~ /-m geoip/) {
+						push(@source_options, $source);
+					} elsif($source) {
 						push(@source_options, ("-s", $source));
 					}
 
 					# Prepare destination options.
 					my @destination_options = ();
-					if ($destination) {
+					if ($destination =~ /-m geoip/) {
+						push(@destination_options,  $destination);
+					} elsif ($destination) {
 						push(@destination_options, ("-d", $destination));
 					}
 
@@ -570,6 +578,40 @@ sub p2pblock {
 	}
 }
 
+sub geoipblock {
+	my %geoipsettings = ();
+
+	# Check if the geoip settings file exists
+	if (-e "$geoipfile") {
+		# Read settings file
+		&General::readhash("$geoipfile", \%geoipsettings);
+	} else {
+		# Exit submodule, go on processing the remaining script
+		return;
+	}
+
+	# If geoip blocking is not enabled, we are finished here.
+	if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
+		# Exit submodule. Process remaining script.
+		return;
+	}
+
+	# Get supported locations.
+	my @locations = &fwlib::get_geoip_locations();
+
+	# Create iptables chain.
+	run("$IPTABLES -F GEOIPBLOCK");
+
+	# Loop through all supported geoip locations and
+	# create iptables rules, if blocking this country
+	# is enabled.
+	foreach my $location (@locations) {
+		if($geoipsettings{$location} eq "on") {
+			run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
+		}
+	}
+}
+
 sub get_protocols {
 	my $hash = shift;
 	my $key = shift;