Besides /etc/sysconfig/firewall.local what do suggest to use in order to allow just a few IP addresses as source for input traffic in IpFire while rest of the country IP addresses are blocked?
Ex: France is blocked in GeoIP. But, I have a friend that needs to connect to my IPFire and I want to allow his IP Addres ranges.
The only solution I can think off is to manually write FW rules in /etc/sysconfig/firewall.local, using CUSTOMINPUT chain which is seeing the packet before GEOIPBLOCK chain.
Something like this: (I am not sure will work!)
Code: Select all
iptables -t filter -A CUSTOMINPUT -s a.b.c.d/28 -j ACCEPT
Any other ideas on how to have such pinholes?
Late Edit: CUSTOMINPUT + /etc/sysconfig/firewall.local chain worked.
Now I am trying to put some rate limits to this, which I am not sure how these are constructed -> I need to allow maximum 2 connection per minute, NEW + Existing ones...