Closed alcir closed 5 months ago
Sorry for the delay. if you want to have your own rules loader, then disable the script used by ipt_geofence to load rules and load them in your script. What matters to ipt_geofence is that rules are configured inside netfilter as expected.
I was playing with Fedora Linux 36 and ipt_geofence. Fedora Linux uses firewalld and nftables as its default backend (not iptables).
Please note: I'm not an expert of such topics (I'm not an expert in anything TBH). The possibilities to configure firewalld are powerful, but still pretty basic. I was looking for a way to preserve the default firewalld configuration (rules) and to add the rules required by ipt_geofence (forwarding packets to NFQUEUE, right?) using rich language. However (but I can be wrong) also rich language is limited as well. There is also a direct option, but it is deprecated since it still expect iptables as the backend (you will end up with a mix of nfs and iptables rules).
So. Loading the example iptables script, dumping these iptables rules to a file, then issuing
iptables-restore-translate -f /root/iptables.dump > /etc/nftables/ipt_geofence.nft
it is possible to translate iptables rules to nftables syntax.ipt_geofence.nft.txt
Then, it is possible to load these rules without flushing the current firewall configuration with
nft -f /etc/nftables/ipt_geofence.nft
It seems that packets are passed toipt_geofence
and expected IP addresses are blocked.It is also possible to remove such nftables rules using a file containing these lines:
And read it again with
nft -f /etc/nftables/stop-ipt_geofence.nft
In this way the other rules are preserved.ipt_geofence.nft.txt