[contribteam] [Bug 12418] smeserver-xt_geoip NFR Add UDP support

Thu, 19 Oct 2023 08:30:29 -0700 

https://bugs.koozali.org/show_bug.cgi?id=12418

            Bug ID: 12418
           Summary: smeserver-xt_geoip NFR Add UDP support
    Classification: Contribs
           Product: SME Contribs
           Version: 10.0
          Hardware: ---
                OS: ---
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-xt_geoip
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]
  Target Milestone: ---

I really wanted to block some of the bad actors trying to access openvpn on UDP
1194.

The contrib has no UDP support as far as I can see - only TCP.

I made a small hard coded patch to test as follows:

diff -ruN /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90adjustXt_Geoip

--- /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip       
2020-06-07 21:12:41.000000000 +0200
+++ /etc/e-smith/templates-custom//etc/rc.d/init.d/masq/90adjustXt_Geoip       
2023-10-19 17:12:48.530525989 +0200
@@ -78,6 +78,9 @@
            }
        }

+    $OUT .= "   /sbin/iptables -A \$NEW_XTGeoIP -m geoip  --src-cc CN,SG, etc
-p udp --dport 1194 -j ULOG --ulog-prefix \"GeoIP BAN: openvpn-routed\"\n";
+    $OUT .= "   /sbin/iptables -A \$NEW_XTGeoIP -m geoip  --src-cc CN,SG, etc
-p udp --dport 1194 -j DROP\n";
+
    # block for all or other ports should move there
    if ($BC ne '') {
                    my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq
"enabled" )? "!":  "";


Seems to work fine:

/var/log/iptables/denylog.log now has

GeoIP BAN: openvpn-routed IN=eth0 OUT= MAC=52:54:00:00:blah SRC=188.241.240.99
DST=my.wan.ip LEN=42 TOS=00 PREC=0x00 TTL=113 ID=8118 PROTO=UDP SPT=45153
DPT=1194 LEN=22 MARK=0

Does me for now but would be nice to add UDP support.

Guess we could just duplicate the TCP lines to UDP so it blocks both, but
openvpn doesn't have a TCP port set so won't show up in the server panel.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/

Reply via email to