New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GeoIP banning from ipdeny list #37
Changes from all commits
fa6d8d0
4ff6d59
5f0c5cc
5a5c7a9
1353ae8
0fde76b
d715369
e22bf72
616a271
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
disabled |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,15 +27,31 @@ event=$1 # name of the event (not used) | |
type=$2 # blacklist type (ipsets or dnss) | ||
|
||
if [[ "$type" == "ipsets" ]]; then | ||
conf="blacklist" | ||
status=$(/sbin/e-smith/config getprop blacklist status) | ||
ipsetUrl=$(/sbin/e-smith/config getprop blacklist Url) | ||
GeoipStatus=$(/sbin/e-smith/config getprop blacklist GeoipStatus) | ||
|
||
if [[ "$status" != "enabled" ]]; then | ||
exit 0 | ||
fi | ||
|
||
if [[ "$ipsetUrl" != "" ]]; then | ||
/usr/share/nethserver-blacklist/download ipsets | ||
fi | ||
Comment on lines
+38
to
+40
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this a real condition? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. See the comment below, the URL is not more a mandatory, we use it like a new checkbox in the UI, if the URL is a valid git repository and if the URL exists then we download the list and use this list to the cronjob There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure if it's a good choice, I need to test it. |
||
if [[ "$GeoipStatus" == "enabled" ]]; then | ||
/usr/share/nethserver-blacklist/download geoip | ||
else | ||
/usr/bin/rm -f /usr/share/nethserver-blacklist/geoips/* | ||
fi | ||
|
||
elif [[ "$type" == "dnss" ]]; then | ||
conf="ftl" | ||
status=$(/sbin/e-smith/config getprop ftl status) | ||
|
||
if [[ "$status" == "enabled" ]]; then | ||
exec /usr/share/nethserver-blacklist/download dnss | ||
fi | ||
|
||
else | ||
echo "Invalid blacklist type: $type" | ||
exit 1 | ||
fi | ||
|
||
status=$(/sbin/e-smith/config getprop $conf status) | ||
if [[ "$status" == "enabled" ]]; then | ||
exec /usr/share/nethserver-blacklist/download $type | ||
fi |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
#!/bin/bash | ||
# | ||
# Copyright (C) 2021 Nethesis S.r.l. | ||
# http://www.nethesis.it - nethserver@nethesis.it | ||
# | ||
# This script is part of NethServer. | ||
# | ||
# NethServer is free software: you can redistribute it and/or modify | ||
# it under the terms of the GNU General Public License as published by | ||
# the Free Software Foundation, either version 3 of the License, | ||
# or any later version. | ||
# | ||
# NethServer is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU General Public License | ||
# along with NethServer. If not, see COPYING. | ||
# | ||
|
||
dir=`/usr/bin/mktemp -d` | ||
|
||
/usr/bin/cd $dir | ||
/usr/bin/wget https://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz >/dev/null 2>&1 | ||
tar -xf all-zones.tar.gz | ||
for j in *.zone | ||
do | ||
echo "# | ||
# ipv4 hash:ip ipset | ||
# Category : geoip_blocking | ||
# Source File Date : $(/usr/bin/date) | ||
# Maintainer : NethServer | ||
# List source URL : https://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz | ||
# ISO Country Code : ${j%.zone} | ||
# | ||
$(/usr/bin/cat ${j})" > ${j} | ||
/usr/bin/mv -- "$j" "ISO_country_code_${j%.zone}.netset" | ||
stephdl marked this conversation as resolved.
Show resolved
Hide resolved
|
||
done | ||
|
||
# ensure ipset directory is created | ||
/usr/bin/mkdir -p /usr/share/nethserver-blacklist/geoips | ||
/usr/bin/rm -f /usr/share/nethserver-blacklist/geoips/* | ||
/usr/bin/mv *.netset /usr/share/nethserver-blacklist/geoips/ | ||
/usr/bin/rm -rf $dir | ||
/usr/share/nethserver-blacklist/load-ipsets --reload | ||
exit $? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change makes me think that URL is not mandatory anymore, but inside download script it looks like it is still mandatory. Am i missing something? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not a python guru like you @andre8244, I tested some ways.
Now the url is not a mandatory, if the URL exists then we download (see https://github.com/NethServer/nethserver-blacklist/pull/37/files#diff-af724284fab7ff3dbe0e6c5d083dd81c6c30bddb4a030f75431ef294796b3404R38) same in the cron job ( see https://github.com/NethServer/nethserver-blacklist/pull/37/files#diff-78e4181675f2cbc15bc508d9a79c151096229bc2a3a4cb4bff0a29957c88b9e4R4)
Another way could be to have a third checkbox in the UI to enable git blacklist and a new property in the esmith key
we still check if the url is a valid url and if it is a git repository