[contribteam] [Bug 13493] Add Geoip bypass for selected IPs

[bugzilla-daemon--- via contribteam]

https://bugs.koozali.org/show_bug.cgi?id=13493

            Bug ID: 13493
           Summary: Add Geoip bypass for selected IPs
    Classification: Contribs
           Product: SME Contribs
           Version: Futur
          Hardware: ---
                OS: ---
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-xt_geoip
          Assignee: mab...@misouk.com
          Reporter: jcr...@safeandsoundit.co.uk
        QA Contact: contribteam@lists.contribs.org
  Target Milestone: ---

Attempting to bypass xt_geoip for selected IPs or networkd blocks that had not
updated to created this patch which reads IPs from the httpd-admin config key
and adds them.

Note - this also enables remote access to the server so this key may not be
best but was in a rush and I needed an ordinary user to be able to manage it
for now.

A better solution would be a xt_geoip bypass panel for the contrib with
possibly a PermittedHosts property for the geoip key?


Could also add say a logging key as well?

config show geoip

geoip=service
    AccountID=
    LicenseKey=
    PermittedHosts=1.2.3.4/24
    logging=disabled
    status=enabled

Then just change ${'httpd-admin'} here to ${'geoip'}{'PermittedHosts'}

And anything ${ipblock} to ${geoip} etc


diff -ruN /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90adjustXt_Geoip
--- /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip       
2020-06-07 21:12:41.000000000 +0200
+++ /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90adjustXt_Geoip
2026-04-10 16:50:14.075530035 +0200
@@ -61,6 +61,37 @@
         }
     }

+# Completely block any riff raff
+   if ( ( my $status = ${ipblock}{'status'} ) eq 'enabled' )
+   {
+       my $AllowHosts = ${'httpd-admin'}{'ValidFrom'} ||  '';
+       if ( $AllowHosts ne  '' ) {
+           my $logging = ${'ipblock'}{'logging'} || 'disabled';
+           $OUT .= "\n";
+           $OUT .= "# AllowHosts Simple ipblock for riff raff\n\n";
+           foreach my $host ( split( ',', $AllowHosts ) ) {
+               if ( $logging eq 'enabled' ) {
+                   $OUT .= "#   ipblock AllowHosts logging on\n";
+                   $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s $host -j
ULOG --ulog-prefix \"IPAllow:\" \n";
+                   $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s $host -j
RETURN\n";
+               }
+               else {
+                   $OUT .= "#   ipblock AllowHosts logging off\n";
+                   $OUT .= "    /sbin/iptables -A \$NEW_XTGeoIP -s $host -j
RETURN\n";
+               }
+           }
+           $OUT .= "\n";
+       }
+       else {
+           $OUT .= "# ipblock no AllowHosts set\n";
+       }
+   }
+   else {
+       $OUT .= "# ipblock disabled\n";
+   }
+
+# Ends
+
        my @services = split(/,/, $masq{'XtServices'});

        foreach my $servName (@services)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail contribteam-unsubscr...@lists.contribs.org
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/