From 8a9faa0250552a9d071e71d81ba099eba6636697 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 16 Mar 2022 23:49:34 +0100
Subject: [PATCH] * minifirewall: upstream release 22.03.2

---
 CHANGELOG.md                                 |  2 +-
 minifirewall/files/blacklist-countries.sh    | 23 ++++++++++
 minifirewall/files/minifirewall              | 29 ++++++++++---
 minifirewall/files/minifirewall.d/zzz-custom | 11 +++++
 minifirewall/files/minifirewall.d/zzzz-ban   |  7 +++
 minifirewall/tasks/install.yml               | 45 ++++++++++++++++----
 6 files changed, 101 insertions(+), 16 deletions(-)
 create mode 100644 minifirewall/files/blacklist-countries.sh
 create mode 100644 minifirewall/files/minifirewall.d/zzz-custom
 create mode 100644 minifirewall/files/minifirewall.d/zzzz-ban

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1c9d1bef..d1fa35d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,7 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * evolinux-base: backup-server-state release 22.03
 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
 * generate-ldif: Add services check for bkctld
-* minifirewall: upstream release 22.03.1 and use includes directory
+* minifirewall: upstream release 22.03.2 and use includes directory
 
 ### Fixed
 
diff --git a/minifirewall/files/blacklist-countries.sh b/minifirewall/files/blacklist-countries.sh
new file mode 100644
index 00000000..3a3d20db
--- /dev/null
+++ b/minifirewall/files/blacklist-countries.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+ripedeny_file=/var/tmp/ripe_deny
+
+cd /var/tmp
+
+rm -f $ripedeny_file
+
+GET http://antispam00.evolix.org/spam/ripe.cidr.md5 > ripe.cidr.md5
+GET http://antispam00.evolix.org/spam/ripe.cidr > ripe.cidr
+
+for i in CN KR RU; do
+
+    grep "^$i|" ripe.cidr >> $ripedeny_file
+
+done
+
+/sbin/iptables -F NEEDRESTRICT
+
+for i in $(cat $ripedeny_file); do
+    BLOCK=$(echo $i | cut -d"|" -f2)
+    /sbin/iptables -I NEEDRESTRICT -s $BLOCK -j DROP
+done
diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall
index b1595471..0367968a 100755
--- a/minifirewall/files/minifirewall
+++ b/minifirewall/files/minifirewall
@@ -28,9 +28,10 @@
 # Description:       Firewall designed for standalone server
 ### END INIT INFO
 
-VERSION="22.03.1"
+VERSION="22.03.2"
 
 NAME="minifirewall"
+# shellcheck disable=SC2034
 DESC="Firewall designed for standalone server"
 
 set -u
@@ -115,6 +116,8 @@ chain_exists() {
     chain_name="$1"
     if [ $# -ge 2 ]; then
         intable="--table $2"
+    else
+        intable=""
     fi
     # shellcheck disable=SC2086
     iptables ${intable} -nL "${chain_name}" >/dev/null 2>&1
@@ -476,34 +479,46 @@ start() {
         # Privileged services (accessible from privileged & trusted IPs)
         for dstport in ${SERVICESTCP2}; do
             for srcip in ${PRIVILEGIEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
 
             for srcip in ${TRUSTEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
         done
 
         for dstport in ${SERVICESUDP2}; do
             for srcip in ${PRIVILEGIEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
 
             for srcip in ${TRUSTEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
         done
 
         # Trusted services (accessible from trusted IPs)
         for dstport in ${SERVICESTCP3}; do
             for srcip in ${TRUSTEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
         done
 
         for dstport in ${SERVICESUDP3}; do
             for srcip in ${TRUSTEDIPS}; do
-                ${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                if ! is_ipv6 ${srcip}; then
+                    ${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
+                fi
             done
         done
     fi
diff --git a/minifirewall/files/minifirewall.d/zzz-custom b/minifirewall/files/minifirewall.d/zzz-custom
new file mode 100644
index 00000000..7ac24f06
--- /dev/null
+++ b/minifirewall/files/minifirewall.d/zzz-custom
@@ -0,0 +1,11 @@
+### custom minifirewall commands
+#
+# You can add any custom command in files like this;
+# either this one, or others in the same directory.
+# They are executed as shell scripts.
+# They are automatically included in alphanumerical order.
+# 
+# Within included files, you can use those helper functions :
+# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
+# * is_docker_enabled: returns true if Docker mode is eabled, or false
+# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
diff --git a/minifirewall/files/minifirewall.d/zzzz-ban b/minifirewall/files/minifirewall.d/zzzz-ban
new file mode 100644
index 00000000..6dc516b0
--- /dev/null
+++ b/minifirewall/files/minifirewall.d/zzzz-ban
@@ -0,0 +1,7 @@
+### ban rules
+# 
+# If you have ban rules in /root/ban.iptables
+# (either manually or with /usr/share/scripts/blacklist-countries.sh)
+# ou can automatically import them with the following command:
+#
+# cat /root/ban.iptables | iptables-restore -n
diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml
index e537fb6f..5eeed116 100644
--- a/minifirewall/tasks/install.yml
+++ b/minifirewall/tasks/install.yml
@@ -14,14 +14,6 @@
     owner: root
     group: root
 
-- name: include directory is present
-  file:
-    path: /etc/minifirewall.d/
-    state: directory
-    owner: root
-    group: root
-    mode: "0700"
-
 - name: configuration is copied
   copy:
     src: minifirewall.conf
@@ -30,3 +22,40 @@
     mode: "0600"
     owner: root
     group: root
+
+- name: includes directory is present
+  file:
+    path: /etc/minifirewall.d/
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: examples for includes are present
+  copy:
+    src: "minifirewall.d/"
+    dest: "/etc/minifirewall.d/"
+    force: "no"
+    mode: "0600"
+    owner: root
+    group: root
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+
+- name: blacklist-countries.sh is copied
+  copy:
+    src: blacklist-countries.sh
+    dest: /usr/share/scripts/blacklist-countries.sh
+    force: "no"
+    mode: "0700"
+    owner: root
+    group: root