# # Shorewall 4 - GeoIP Action # # /usr/share/shorewall/action.GeoIP # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 2012- Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # GeoIP[([,{|-}][,{src|dst}][,{audit|-}])] # # Where is a list of one or more ISO 3166 Country Codes (see table # below). # # Default action is to do nothing, so either an must be specified or # the parameter list must be followed by : to generate a logging rule. # (e.g., GeoIP(US):info). # ########################################################################################## FORMAT 2 DEFAULTS -,-,src,- BEGIN PERL; use strict; use Shorewall::Chains qw(:DEFAULT :internal); my ( $countries, $action, $srcdst, $audit ) = get_action_params( 4 ); our %isocodes = ( A1 => "Anonymous Proxy" , A2 => "Satellite Provider" , AD => "Andorra" , AE => "United Arab Emirates" , AF => "Afghanistan" , AG => "Antigua and Barbuda" , AI => "Anguilla" , AL => "Albania" , AM => "Armenia" , AN => "Netherlands Antilles" , AO => "Angola" , AP => "Asia/Pacific Region" , AQ => "Antarctica" , AR => "Argentina" , AS => "American Samoa" , AT => "Austria" , AU => "Australia" , AW => "Aruba" , AX => "Aland Islands" , AZ => "Azerbaijan" , BA => "Bosnia and Herzegovina" , BB => "Barbados" , BD => "Bangladesh" , BE => "Belgium" , BF => "Burkina Faso" , BG => "Bulgaria" , BH => "Bahrain" , BI => "Burundi" , BJ => "Benin" , BM => "Bermuda" , BN => "Brunei Darussalam" , BO => "Bolivia" , BR => "Brazil" , BS => "Bahamas" , BT => "Bhutan" , BV => "Bouvet Island" , BW => "Botswana" , BY => "Belarus" , BZ => "Belize" , CA => "Canada" , CC => "Cocos (Keeling) Islands" , CD => "Congo, The Democratic Republic of the" , CF => "Central African Republic" , CG => "Congo" , CH => "Switzerland" , CI => "Cote D'Ivoire" , CK => "Cook Islands" , CL => "Chile" , CM => "Cameroon" , CN => "China" , CO => "Colombia" , CR => "Costa Rica" , CU => "Cuba" , CV => "Cape Verde" , CX => "Christmas Island" , CY => "Cyprus" , CZ => "Czech Republic" , DE => "Germany" , DJ => "Djibouti" , DK => "Denmark" , DM => "Dominica" , DO => "Dominican Republic" , DZ => "Algeria" , EC => "Ecuador" , EE => "Estonia" , EG => "Egypt" , EH => "Western Sahara" , ER => "Eritrea" , ES => "Spain" , ET => "Ethiopia" , EU => "Europe" , FI => "Finland" , FJ => "Fiji" , FK => "Falkland Islands (Malvinas)" , FM => "Micronesia, Federated States of" , FO => "Faroe Islands" , FR => "France" , GA => "Gabon" , GB => "United Kingdom" , GD => "Grenada" , GE => "Georgia" , GF => "French Guiana" , GG => "Guernsey" , GH => "Ghana" , GI => "Gibraltar" , GL => "Greenland" , GM => "Gambia" , GN => "Guinea" , GP => "Guadeloupe" , GQ => "Equatorial Guinea" , GR => "Greece" , GS => "South Georgia and the South Sandwich Islands" , GT => "Guatemala" , GU => "Guam" , GW => "Guinea-Bissau" , GY => "Guyana" , HK => "Hong Kong" , HN => "Honduras" , HR => "Croatia" , HT => "Haiti" , HU => "Hungary" , ID => "Indonesia" , IE => "Ireland" , IL => "Israel" , IM => "Isle of Man" , IN => "India" , IO => "British Indian Ocean Territory" , IQ => "Iraq" , IR => "Iran, Islamic Republic of" , IS => "Iceland" , IT => "Italy" , JE => "Jersey" , JM => "Jamaica" , JO => "Jordan" , JP => "Japan" , KE => "Kenya" , KG => "Kyrgyzstan" , KH => "Cambodia" , KI => "Kiribati" , KM => "Comoros" , KN => "Saint Kitts and Nevis" , KP => "Korea, Democratic People's Republic of" , KR => "Korea, Republic of" , KW => "Kuwait" , KY => "Cayman Islands" , KZ => "Kazakhstan" , LA => "Lao People's Democratic Republic" , LB => "Lebanon" , LC => "Saint Lucia" , LI => "Liechtenstein" , LK => "Sri Lanka" , LR => "Liberia" , LS => "Lesotho" , LT => "Lithuania" , LU => "Luxembourg" , LV => "Latvia" , LY => "Libyan Arab Jamahiriya" , MA => "Morocco" , MC => "Monaco" , MD => "Moldova, Republic of" , ME => "Montenegro" , MG => "Madagascar" , MH => "Marshall Islands" , MK => "Macedonia" , ML => "Mali" , MM => "Myanmar" , MN => "Mongolia" , MO => "Macau" , MP => "Northern Mariana Islands" , MQ => "Martinique" , MR => "Mauritania" , MS => "Montserrat" , MT => "Malta" , MU => "Mauritius" , MV => "Maldives" , MW => "Malawi" , MX => "Mexico" , MY => "Malaysia" , MZ => "Mozambique" , NA => "Namibia" , NC => "New Caledonia" , NE => "Niger" , NF => "Norfolk Island" , NG => "Nigeria" , NI => "Nicaragua" , NL => "Netherlands" , NO => "Norway" , NP => "Nepal" , NR => "Nauru" , NU => "Niue" , NZ => "New Zealand" , OM => "Oman" , PA => "Panama" , PE => "Peru" , PF => "French Polynesia" , PG => "Papua New Guinea" , PH => "Philippines" , PK => "Pakistan" , PL => "Poland" , PM => "Saint Pierre and Miquelon" , PR => "Puerto Rico" , PS => "Palestinian Territory, Occupied" , PT => "Portugal" , PW => "Palau" , PY => "Paraguay" , QA => "Qatar" , RE => "Reunion" , RO => "Romania" , RS => "Serbia" , RU => "Russian Federation" , RW => "Rwanda" , SA => "Saudi Arabia" , SB => "Solomon Islands" , SC => "Seychelles" , SD => "Sudan" , SE => "Sweden" , SG => "Singapore" , SH => "Saint Helena" , SI => "Slovenia" , SJ => "Svalbard and Jan Mayen" , SK => "Slovakia" , SL => "Sierra Leone" , SM => "San Marino" , SN => "Senegal" , SO => "Somalia" , SR => "Suriname" , ST => "Sao Tome and Principe" , SV => "El Salvador" , SY => "Syrian Arab Republic" , SZ => "Swaziland" , TC => "Turks and Caicos Islands" , TD => "Chad" , TF => "French Southern Territories" , TG => "Togo" , TH => "Thailand" , TJ => "Tajikistan" , TK => "Tokelau" , TL => "Timor-Leste" , TM => "Turkmenistan" , TN => "Tunisia" , TO => "Tonga" , TR => "Turkey" , TT => "Trinidad and Tobago" , TV => "Tuvalu" , TW => "Taiwan" , TZ => "Tanzania, United Republic of" , UA => "Ukraine" , UG => "Uganda" , UM => "United States Minor Outlying Islands" , US => "United States" , UY => "Uruguay" , UZ => "Uzbekistan" , VA => "Holy See (Vatican City State)" , VC => "Saint Vincent and the Grenadines" , VE => "Venezuela" , VG => "Virgin Islands, British" , VI => "Virgin Islands, U.S." , VN => "Vietnam" , VU => "Vanuatu" , WF => "Wallis and Futuna" , WS => "Samoa" , YE => "Yemen" , YT => "Mayotte" , ZA => "South Africa" , ZM => "Zambia" , ZW => "Zimbabwe" , ); require_capability 'GEOIP_MATCH', 'The GeoIP action', 's'; fatal_error "Invalid parameter ($audit) to action GeoIP" if supplied $audit && $audit ne 'audit'; fatal_error "Invalid SRC/DST ($srcdst)" if supplied $srcdst && $srcdst !~ /^(src|dst)$/; my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging; my $target = require_audit ( $action , $audit ); my $origcountries = $countries; $countries =~ s/\|/,/g; my @countries = split_list $countries, 'cc', $origcountries; for ( @countries ) { fatal_error "Unknown ISO 3661 Country Code ($_)" unless $isocodes{$_}; } $tag = $countries[0] unless $tag || @countries > 1; if ( $target ne '' ) { my $targettype = $targets{$target} || 0; fatal_error "Unknown ACTION ($target)" unless $targettype; fatal_error "The $target action may not be passed to GeoIP" if ( ! $targettype & (STANDARD | CHAIN | ACTION ) ) || ( $targettype & ( NATRULE | NONAT ) ); if ( $level ne '' ) { my $chain1ref = ensure_filter_chain( newlogchain('filter' ), 0 ); log_rule_limit $level, $chain1ref, $chainref->{name}, $target ? $target : 'LOG' , '', $tag, 'add', ''; add_ijump( $chain1ref, j => $target ); $target = $chain1ref->{name}; } add_ijump $chainref , j => $target, geoip => "--${srcdst}-cc $countries"; } elsif ( $level ne '' ) { log_rule_limit $level, $chainref, 'GeoIP' , $target ? $target : 'LOG' , '', $tag, 'add', "-m geoip --${srcdst}-cc $countries"; } else { fatal_error "Either an action or a log level must be specified"; } allow_optimize( $chainref ); 1; END PERL;