webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 19:23:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add support for generating GeoIP-based firewall rules.

Browse Source 
This commit adds support to the rules.pl and firewall-lib.pl to generate
correct iptables commands for inserting GeoIP-based firewall rules
into the kernel.
This commit is contained in:
Alexander Marx
2015-02-17 17:01:42 +01:00
committed by Stefan Schantl
parent 6897c329b5
commit b9ca2fa60f
2 changed files with 34 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
config/firewall/firewall-lib.pl Executable file → Normal file
View File

@@ -27,6 +27,7 @@ package fwlib;
my %customnetwork=(); my %customnetwork=();
my %customhost=(); my %customhost=();
my %customgrp=(); my %customgrp=();
my %customgeoipgrp=();
my %customservice=(); my %customservice=();
my %customservicegrp=(); my %customservicegrp=();
my %ccdnet=(); my %ccdnet=();
@@ -42,6 +43,7 @@ require '/var/ipfire/general-functions.pl';
my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confignet = "${General::swroot}/fwhosts/customnetworks";
my $confighost = "${General::swroot}/fwhosts/customhosts"; my $confighost = "${General::swroot}/fwhosts/customhosts";
my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp";
my $configsrv = "${General::swroot}/fwhosts/customservices"; my $configsrv = "${General::swroot}/fwhosts/customservices";
my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
@@ -59,6 +61,7 @@ my $netsettings = "${General::swroot}/ethernet/settings";
&General::readhasharray("$confignet", \%customnetwork); &General::readhasharray("$confignet", \%customnetwork);
&General::readhasharray("$confighost", \%customhost); &General::readhasharray("$confighost", \%customhost);
&General::readhasharray("$configgrp", \%customgrp); &General::readhasharray("$configgrp", \%customgrp);
&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
&General::readhasharray("$configccdnet", \%ccdnet); &General::readhasharray("$configccdnet", \%ccdnet);
&General::readhasharray("$configccdhost", \%ccdhost); &General::readhasharray("$configccdhost", \%ccdhost);
&General::readhasharray("$configipsec", \%ipsecconf); &General::readhasharray("$configipsec", \%ipsecconf);
@@ -295,6 +298,17 @@ sub get_addresses
if ($customgrp{$grp}[0] eq $value) { if ($customgrp{$grp}[0] eq $value) {
my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type); my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
if (@address) {
push(@addresses, @address);
}
}
}
}elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
$value=substr($value,6);
foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
if ($customgeoipgrp{$grp}[0] eq $value) {
my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
if (@address) { if (@address) {
push(@addresses, @address); push(@addresses, @address);
} }
@@ -414,6 +428,20 @@ sub get_address
} }
} }
# Handle rule options with GeoIP as source.
} elsif ($key eq "cust_geoip_src") {
# Get external interface.
my $external_interface = &get_external_interface();
push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
# Handle rule options with GeoIP as target.
} elsif ($key eq "cust_geoip_tgt") {
# Get external interface.
my $external_interface = &get_external_interface();
push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
# If nothing was selected, we assume "any". # If nothing was selected, we assume "any".
} else { } else {
push(@ret, ["0/0", ""]); push(@ret, ["0/0", ""]);

8
config/firewall/rules.pl
View File

@@ -368,13 +368,17 @@ sub buildrules {
my @source_options = (); my @source_options = ();
if ($source =~ /mac/) { if ($source =~ /mac/) {
push(@source_options, $source); push(@source_options, $source);
} elsif ($source) { } elsif ($source =~ /-m geoip/) {
push(@source_options, $source);
} elsif($source) {
push(@source_options, ("-s", $source)); push(@source_options, ("-s", $source));
} }
# Prepare destination options. # Prepare destination options.
my @destination_options = (); my @destination_options = ();
if ($destination) { if ($destination =~ /-m geoip/) {
push(@destination_options, $destination);
} elsif ($destination) {
push(@destination_options, ("-d", $destination)); push(@destination_options, ("-d", $destination));
} }