Show custom 403 page when user ip/network is banned by netfilter

Signed-off-by: Kristian Feldsam <[email protected]>
mailcow · Mar 19, 2024 · a47999d · a47999d
1 parent 8d4ef14
commit a47999d
Show file tree

Hide file tree

Showing 8 changed files with 462 additions and 166 deletions.
diff --git a/data/Dockerfiles/netfilter/modules/IPTables.py b/data/Dockerfiles/netfilter/modules/IPTables.py
@@ -19,6 +19,16 @@ def initChainIPv4(self):
       rule.target = target
       if rule not in chain.rules:
         chain.insert_rule(rule)
+
+      # always allow TCP connections to 80 and 443 ports to show 403 page in case of ban  
+      chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), self.chain_name)
+      rule = iptc.Rule()
+      rule.create_target("ACCEPT")
+      match = rule.create_match('multiport')
+      rule.protocol = 'tcp'
+      match.dports = '80,443'
+      if rule not in chain.rules:
+        chain.insert_rule(rule)
 
   def initChainIPv6(self):
     if not iptc.Chain(iptc.Table6(iptc.Table6.FILTER), self.chain_name) in iptc.Table6(iptc.Table6.FILTER).chains:
@@ -32,6 +42,16 @@ def initChainIPv6(self):
       rule.target = target
       if rule not in chain.rules:
         chain.insert_rule(rule)
+
+    # always allow TCP connections to 80 and 443 ports to show 403 page in case of ban  
+    chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), self.chain_name)
+    rule = iptc.Rule6()
+    rule.create_target("ACCEPT")
+    match = rule.create_match('multiport')
+    rule.protocol = 'tcp'
+    match.dports = '80,443'
+    if rule not in chain.rules:
+      chain.insert_rule(rule)
 
   def checkIPv4ChainOrder(self):
     filter_table = iptc.Table(iptc.Table.FILTER)
@@ -98,7 +118,7 @@ def banIPv4(self, source):
     rule.target = target
     if rule in chain.rules:
       return False
-    chain.insert_rule(rule)
+    chain.append_rule(rule)
     return True
 
   def banIPv6(self, source):
@@ -109,7 +129,7 @@ def banIPv6(self, source):
     rule.target = target
     if rule in chain.rules:
       return False
-    chain.insert_rule(rule)
+    chain.append_rule(rule)
     return True
 
   def unbanIPv4(self, source):

diff --git a/data/conf/nginx/fastcgi_params b/data/conf/nginx/fastcgi_params
@@ -0,0 +1,25 @@
+
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;