auto update script executed

mod/geodb/blacklist.go

@@ -0,0 +1,91 @@
+package geodb
+
+import "strings"
+
+/*
+	Blacklist.go
+
+	This script store the blacklist related functions
+*/
+
+//Geo Blacklist
+
+func (s *Store) AddCountryCodeToBlackList(countryCode string) {
+	countryCode = strings.ToLower(countryCode)
+	s.sysdb.Write("blacklist-cn", countryCode, true)
+}
+
+func (s *Store) RemoveCountryCodeFromBlackList(countryCode string) {
+	countryCode = strings.ToLower(countryCode)
+	s.sysdb.Delete("blacklist-cn", countryCode)
+}
+
+func (s *Store) IsCountryCodeBlacklisted(countryCode string) bool {
+	countryCode = strings.ToLower(countryCode)
+	var isBlacklisted bool = false
+	s.sysdb.Read("blacklist-cn", countryCode, &isBlacklisted)
+	return isBlacklisted
+}
+
+func (s *Store) GetAllBlacklistedCountryCode() []string {
+	bannedCountryCodes := []string{}
+	entries, err := s.sysdb.ListTable("blacklist-cn")
+	if err != nil {
+		return bannedCountryCodes
+	}
+	for _, keypairs := range entries {
+		ip := string(keypairs[0])
+		bannedCountryCodes = append(bannedCountryCodes, ip)
+	}
+
+	return bannedCountryCodes
+}
+
+//IP Blacklsits
+
+func (s *Store) AddIPToBlackList(ipAddr string) {
+	s.sysdb.Write("blacklist-ip", ipAddr, true)
+}
+
+func (s *Store) RemoveIPFromBlackList(ipAddr string) {
+	s.sysdb.Delete("blacklist-ip", ipAddr)
+}
+
+func (s *Store) GetAllBlacklistedIp() []string {
+	bannedIps := []string{}
+	entries, err := s.sysdb.ListTable("blacklist-ip")
+	if err != nil {
+		return bannedIps
+	}
+
+	for _, keypairs := range entries {
+		ip := string(keypairs[0])
+		bannedIps = append(bannedIps, ip)
+	}
+
+	return bannedIps
+}
+
+func (s *Store) IsIPBlacklisted(ipAddr string) bool {
+	var isBlacklisted bool = false
+	s.sysdb.Read("blacklist-ip", ipAddr, &isBlacklisted)
+	if isBlacklisted {
+		return true
+	}
+
+	//Check for IP wildcard and CIRD rules
+	AllBlacklistedIps := s.GetAllBlacklistedIp()
+	for _, blacklistRule := range AllBlacklistedIps {
+		wildcardMatch := MatchIpWildcard(ipAddr, blacklistRule)
+		if wildcardMatch {
+			return true
+		}
+
+		cidrMatch := MatchIpCIDR(ipAddr, blacklistRule)
+		if cidrMatch {
+			return true
+		}
+	}
+
+	return false
+}

mod/geodb/geodb.go

@@ -3,8 +3,8 @@ package geodb
 import (
 	_ "embed"
 	"log"
+	"net"
 	"net/http"
-	"strings"
 
 	"imuslab.com/zoraxy/mod/database"
 )
@@ -112,170 +112,6 @@ func (s *Store) Close() {
 
 }
 
-/*
-	Country code based black / white list
-*/
-
-func (s *Store) AddCountryCodeToBlackList(countryCode string) {
-	countryCode = strings.ToLower(countryCode)
-	s.sysdb.Write("blacklist-cn", countryCode, true)
-}
-
-func (s *Store) RemoveCountryCodeFromBlackList(countryCode string) {
-	countryCode = strings.ToLower(countryCode)
-	s.sysdb.Delete("blacklist-cn", countryCode)
-}
-
-func (s *Store) AddCountryCodeToWhitelist(countryCode string) {
-	countryCode = strings.ToLower(countryCode)
-	s.sysdb.Write("whitelist-cn", countryCode, true)
-}
-
-func (s *Store) RemoveCountryCodeFromWhitelist(countryCode string) {
-	countryCode = strings.ToLower(countryCode)
-	s.sysdb.Delete("whitelist-cn", countryCode)
-}
-
-func (s *Store) IsCountryCodeBlacklisted(countryCode string) bool {
-	countryCode = strings.ToLower(countryCode)
-	var isBlacklisted bool = false
-	s.sysdb.Read("blacklist-cn", countryCode, &isBlacklisted)
-	return isBlacklisted
-}
-
-func (s *Store) IsCountryCodeWhitelisted(countryCode string) bool {
-	countryCode = strings.ToLower(countryCode)
-	var isWhitelisted bool = false
-	s.sysdb.Read("whitelist-cn", countryCode, &isWhitelisted)
-	return isWhitelisted
-}
-
-func (s *Store) GetAllBlacklistedCountryCode() []string {
-	bannedCountryCodes := []string{}
-	entries, err := s.sysdb.ListTable("blacklist-cn")
-	if err != nil {
-		return bannedCountryCodes
-	}
-	for _, keypairs := range entries {
-		ip := string(keypairs[0])
-		bannedCountryCodes = append(bannedCountryCodes, ip)
-	}
-
-	return bannedCountryCodes
-}
-
-func (s *Store) GetAllWhitelistedCountryCode() []string {
-	whitelistedCountryCode := []string{}
-	entries, err := s.sysdb.ListTable("whitelist-cn")
-	if err != nil {
-		return whitelistedCountryCode
-	}
-	for _, keypairs := range entries {
-		ip := string(keypairs[0])
-		whitelistedCountryCode = append(whitelistedCountryCode, ip)
-	}
-
-	return whitelistedCountryCode
-}
-
-/*
-	IP based black / whitelist
-*/
-
-func (s *Store) AddIPToBlackList(ipAddr string) {
-	s.sysdb.Write("blacklist-ip", ipAddr, true)
-}
-
-func (s *Store) RemoveIPFromBlackList(ipAddr string) {
-	s.sysdb.Delete("blacklist-ip", ipAddr)
-}
-
-func (s *Store) AddIPToWhiteList(ipAddr string) {
-	s.sysdb.Write("whitelist-ip", ipAddr, true)
-}
-
-func (s *Store) RemoveIPFromWhiteList(ipAddr string) {
-	s.sysdb.Delete("whitelist-ip", ipAddr)
-}
-
-func (s *Store) IsIPBlacklisted(ipAddr string) bool {
-	var isBlacklisted bool = false
-	s.sysdb.Read("blacklist-ip", ipAddr, &isBlacklisted)
-	if isBlacklisted {
-		return true
-	}
-
-	//Check for IP wildcard and CIRD rules
-	AllBlacklistedIps := s.GetAllBlacklistedIp()
-	for _, blacklistRule := range AllBlacklistedIps {
-		wildcardMatch := MatchIpWildcard(ipAddr, blacklistRule)
-		if wildcardMatch {
-			return true
-		}
-
-		cidrMatch := MatchIpCIDR(ipAddr, blacklistRule)
-		if cidrMatch {
-			return true
-		}
-	}
-
-	return false
-}
-
-func (s *Store) IsIPWhitelisted(ipAddr string) bool {
-	var isBlacklisted bool = false
-	s.sysdb.Read("whitelist-ip", ipAddr, &isBlacklisted)
-	if isBlacklisted {
-		return true
-	}
-
-	//Check for IP wildcard and CIRD rules
-	AllBlacklistedIps := s.GetAllBlacklistedIp()
-	for _, blacklistRule := range AllBlacklistedIps {
-		wildcardMatch := MatchIpWildcard(ipAddr, blacklistRule)
-		if wildcardMatch {
-			return true
-		}
-
-		cidrMatch := MatchIpCIDR(ipAddr, blacklistRule)
-		if cidrMatch {
-			return true
-		}
-	}
-
-	return false
-}
-
-func (s *Store) GetAllBlacklistedIp() []string {
-	bannedIps := []string{}
-	entries, err := s.sysdb.ListTable("blacklist-ip")
-	if err != nil {
-		return bannedIps
-	}
-
-	for _, keypairs := range entries {
-		ip := string(keypairs[0])
-		bannedIps = append(bannedIps, ip)
-	}
-
-	return bannedIps
-}
-
-func (s *Store) GetAllWhitelistedIp() []string {
-	whitelistedIp := []string{}
-	entries, err := s.sysdb.ListTable("whitelist-ip")
-	if err != nil {
-		return whitelistedIp
-	}
-
-	for _, keypairs := range entries {
-		ip := string(keypairs[0])
-		whitelistedIp = append(whitelistedIp, ip)
-	}
-
-	return whitelistedIp
-}
-
 /*
 Check if a IP address is blacklisted, in either country or IP blacklist
 IsBlacklisted default return is false (allow access)
@@ -341,6 +177,23 @@ func (s *Store) IsWhitelisted(ipAddr string) bool {
 	return false
 }
 
+// A helper function that check both blacklist and whitelist for access
+// for both geoIP and ip / CIDR ranges
+func (s *Store) AllowIpAccess(ipaddr string) bool {
+	if s.IsBlacklisted(ipaddr) {
+		return false
+	}
+
+	return s.IsWhitelisted(ipaddr)
+}
+
+func (s *Store) AllowConnectionAccess(conn net.Conn) bool {
+	if addr, ok := conn.RemoteAddr().(*net.TCPAddr); ok {
+		return s.AllowIpAccess(addr.IP.String())
+	}
+	return true
+}
+
 func (s *Store) GetRequesterCountryISOCode(r *http.Request) string {
 	ipAddr := GetRequesterIP(r)
 	if ipAddr == "" {

mod/geodb/whitelist.go

@@ -0,0 +1,91 @@
+package geodb
+
+import "strings"
+
+/*
+	Whitelist.go
+
+	This script handles whitelist related functions
+*/
+
+//Geo Whitelist
+
+func (s *Store) AddCountryCodeToWhitelist(countryCode string) {
+	countryCode = strings.ToLower(countryCode)
+	s.sysdb.Write("whitelist-cn", countryCode, true)
+}
+
+func (s *Store) RemoveCountryCodeFromWhitelist(countryCode string) {
+	countryCode = strings.ToLower(countryCode)
+	s.sysdb.Delete("whitelist-cn", countryCode)
+}
+
+func (s *Store) IsCountryCodeWhitelisted(countryCode string) bool {
+	countryCode = strings.ToLower(countryCode)
+	var isWhitelisted bool = false
+	s.sysdb.Read("whitelist-cn", countryCode, &isWhitelisted)
+	return isWhitelisted
+}
+
+func (s *Store) GetAllWhitelistedCountryCode() []string {
+	whitelistedCountryCode := []string{}
+	entries, err := s.sysdb.ListTable("whitelist-cn")
+	if err != nil {
+		return whitelistedCountryCode
+	}
+	for _, keypairs := range entries {
+		ip := string(keypairs[0])
+		whitelistedCountryCode = append(whitelistedCountryCode, ip)
+	}
+
+	return whitelistedCountryCode
+}
+
+//IP Whitelist
+
+func (s *Store) AddIPToWhiteList(ipAddr string) {
+	s.sysdb.Write("whitelist-ip", ipAddr, true)
+}
+
+func (s *Store) RemoveIPFromWhiteList(ipAddr string) {
+	s.sysdb.Delete("whitelist-ip", ipAddr)
+}
+
+func (s *Store) IsIPWhitelisted(ipAddr string) bool {
+	var isWhitelisted bool = false
+	s.sysdb.Read("whitelist-ip", ipAddr, &isWhitelisted)
+	if isWhitelisted {
+		return true
+	}
+
+	//Check for IP wildcard and CIRD rules
+	AllWhitelistedIps := s.GetAllWhitelistedIp()
+	for _, whitelistRules := range AllWhitelistedIps {
+		wildcardMatch := MatchIpWildcard(ipAddr, whitelistRules)
+		if wildcardMatch {
+			return true
+		}
+
+		cidrMatch := MatchIpCIDR(ipAddr, whitelistRules)
+		if cidrMatch {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (s *Store) GetAllWhitelistedIp() []string {
+	whitelistedIp := []string{}
+	entries, err := s.sysdb.ListTable("whitelist-ip")
+	if err != nil {
+		return whitelistedIp
+	}
+
+	for _, keypairs := range entries {
+		ip := string(keypairs[0])
+		whitelistedIp = append(whitelistedIp, ip)
+	}
+
+	return whitelistedIp
+}

mod/tcpprox/conn.go

@@ -58,11 +58,23 @@ func forward(conn1 net.Conn, conn2 net.Conn, aTob *int64, bToa *int64) {
 	wg.Wait()
 }
 
-func accept(listener net.Listener) (net.Conn, error) {
+func (c *ProxyRelayConfig) accept(listener net.Listener) (net.Conn, error) {
+
 	conn, err := listener.Accept()
 	if err != nil {
 		return nil, err
 	}
+
+	//Check if connection in blacklist or whitelist
+	if addr, ok := conn.RemoteAddr().(*net.TCPAddr); ok {
+		if !c.parent.Options.AccessControlHandler(conn) {
+			time.Sleep(300 * time.Millisecond)
+			conn.Close()
+			log.Println("[x]", "Connection from "+addr.IP.String()+" rejected by access control policy")
+			return nil, errors.New("Connection from " + addr.IP.String() + " rejected by access control policy")
+		}
+	}
+
 	log.Println("[√]", "accept a new client. remote address:["+conn.RemoteAddr().String()+"], local address:["+conn.LocalAddr().String()+"]")
 	return conn, err
 }
@@ -203,7 +215,7 @@ func (c *ProxyRelayConfig) Port2port(port1 string, port2 string, stopChan chan b
 	}()
 
 	for {
-		conn1, err := accept(listen1)
+		conn1, err := c.accept(listen1)
 		if err != nil {
 			if !c.Running {
 				return nil
@@ -211,7 +223,7 @@ func (c *ProxyRelayConfig) Port2port(port1 string, port2 string, stopChan chan b
 			continue
 		}
 
-		conn2, err := accept(listen2)
+		conn2, err := c.accept(listen2)
 		if err != nil {
 			if !c.Running {
 				return nil
@@ -248,7 +260,7 @@ func (c *ProxyRelayConfig) Port2host(allowPort string, targetAddress string, sto
 
 	//Start blocking loop for accepting connections
 	for {
-		conn, err := accept(server)
+		conn, err := c.accept(server)
 		if conn == nil || err != nil {
 			if !c.Running {
 				//Terminate by stop chan. Exit listener loop

mod/tcpprox/tcpprox.go

@@ -2,6 +2,7 @@ package tcpprox
 
 import (
 	"errors"
+	"net"
 
 	uuid "github.com/satori/go.uuid"
 	"imuslab.com/zoraxy/mod/database"
@@ -40,11 +41,14 @@ type ProxyRelayConfig struct {
 	stopChan                    chan bool //Stop channel to stop the listener
 	aTobAccumulatedByteTransfer int64     //Accumulated byte transfer from A to B
 	bToaAccumulatedByteTransfer int64     //Accumulated byte transfer from B to A
+
+	parent *Manager `json:"-"`
 }
 
 type Options struct {
-	Database       *database.Database
-	DefaultTimeout int
+	Database             *database.Database
+	DefaultTimeout       int
+	AccessControlHandler func(net.Conn) bool
 }
 
 type Manager struct {
@@ -59,16 +63,34 @@ type Manager struct {
 func NewTCProxy(options *Options) *Manager {
 	options.Database.NewTable("tcprox")
 
+	//Load relay configs from db
 	previousRules := []*ProxyRelayConfig{}
 	if options.Database.KeyExists("tcprox", "rules") {
 		options.Database.Read("tcprox", "rules", &previousRules)
 	}
 
-	return &Manager{
+	//Check if the AccessControlHandler is empty. If yes, set it to always allow access
+	if options.AccessControlHandler == nil {
+		options.AccessControlHandler = func(conn net.Conn) bool {
+			//Always allow access
+			return true
+		}
+	}
+
+	//Create a new proxy manager for TCP
+	thisManager := Manager{
 		Options:     options,
-		Configs:     previousRules,
 		Connections: 0,
 	}
+
+	//Inject manager into the rules
+	for _, rule := range previousRules {
+		rule.parent = &thisManager
+	}
+
+	thisManager.Configs = previousRules
+
+	return &thisManager
 }
 
 func (m *Manager) NewConfig(config *ProxyRelayOptions) string {
@@ -85,6 +107,8 @@ func (m *Manager) NewConfig(config *ProxyRelayOptions) string {
 		stopChan:                    nil,
 		aTobAccumulatedByteTransfer: 0,
 		bToaAccumulatedByteTransfer: 0,
+
+		parent: m,
 	}
 	m.Configs = append(m.Configs, &thisConfig)
 	m.SaveConfigToDatabase()

start.go

@@ -163,7 +163,8 @@ func startupSequence() {
 
 	//Create TCP Proxy Manager
 	tcpProxyManager = tcpprox.NewTCProxy(&tcpprox.Options{
-		Database: sysdb,
+		Database:             sysdb,
+		AccessControlHandler: geodbStore.AllowConnectionAccess,
 	})
 
 	//Create WoL MAC storage table