Hi people, We've been working on a way to match a packet based on its country. We know it's not a 100% reliable way to filter, but it all depends on the database one use. This could be usefull for packets classification though. Let's explain the concept. First, you need a database - as specified below - which contains field of the form : "begin_subnet","end_subnet","bin_start","bin_end","ISO Code","Country" exemple: "2.6.190.56","2.6.190.63","33996344","33996351","GB","United Kingdom" This is the MaxMind's GeoIP CSV db format. But we obviously don't need all those values, so we've written a tool called csv2bin that converts this database type to a smaller binary format. csv2bin is available at www.cookinglinux.org/geoip/ People can get free MaxMind's GeoIP database at www.maxmind.com This tools create 2 files, geoipdb.bin (the database) and geoipdb.idx (the index file). Unfortunatelly, we need to move both files in /var/geoip/ by default - unless someone rewrite the static path in the shared library. That's about all for this fuzzy extra requierement. The match options look like : [!] --src-cc, --source-country [!] --dst-cc, --destination-country NOTE: The country is inputed by its ISO3166 code. You can match up to 15 countries in a rule. -A INPUT -m geoip --source-country ca,us,jp,de,a1,a2 The library loads subnets of specified countries into user-memory and passes pointers to the module which copies it into kernelspace. If a country is specified more than once, a reference count is increased for that country. When there's no more ref count, that country is freed from memory. What would be great is a caching system. Going to implement it when we'll have time. It all works for both linux-2.4 and 2.6. Well, that's enough for theory that you can all presume by reading the source code, so here it is. (I'll put source for linux-2.4 but 2.6 is also provided in the pom-ng package) We'd like to thank Martin Josefsson for the great help he gave us. Comments are greatly welcome. Nicolas Bouliane, Samuel Jean at cookinglinux.org