From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re:
Date: Sun, 05 Oct 2008 00:14:30 -0500 [thread overview]
Message-ID: <48E84D36.20206@riverviewtech.net> (raw)
In-Reply-To: <20081004112000.258830@gmx.net>
On 10/4/2008 6:20 AM, Sebastian Seemann wrote:
> What happens if an IP is not found in the geoip-database, so it has
> no country-code at all? Is it accepted or not?
I don't know for sure what the GeoIP match extension will do if the IP
is not in the database. I would expect the match to fail. However with
inverse logic included I'd guess that the failure would turn in to a
success. But with out testing, this is only a guess.
> I would suppose it is accepted and, since I wanna be sure, would be
> thankful for a workaround simpler than adding every country in the
> world but the forbidden one.
I would be tempted to re-write your rule like this
iptables -A INPUT ! -m geoip --src-cc [country] -j ACCEPT
The difference being that you are moving the negative logic out of an
unpredictable failure situation (GeoIP not knowing where the IP is from)
to a controlled situation (IPTables inverting the result of a match
extension).
Further, the GeoIP match extension should only return a successful match
/if/ the source IP is in said source country. Rather GeoIP will not
match if the IP is included in the database but not associated with said
country. Likewise GeoIP should not success on an unknown IP because it
could not make a match.
With GeoIP behaving more predictably you can have IPTables test for
GeoIP *NOT* matching.
Grant. . . .
next prev parent reply other threads:[~2008-10-05 5:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <S1752389AbYJDKwq/20081004105246Z+121@vger.kernel.org>
2008-10-04 11:20 ` (unknown) Sebastian Seemann
2008-10-05 5:14 ` Grant Taylor [this message]
2008-10-05 5:53 ` Grant Coady
2008-10-05 8:45 ` Re: Sebastian Seemann
2008-10-07 9:26 ` Re: Sebastian Seemann
2015-10-24 5:02 JO Bower
-- strict thread matches above, loose matches on Subject: below --
2011-08-23 8:26 How to make bi-directional NAT'ting? "Яцко Эллад Геннадьевич (ngs)"
2011-08-23 10:50 ` Tyler J. Wagner
[not found] ` <4E538A10.3030508@runoguy.ru>
2011-08-23 11:35 ` Tyler J. Wagner
2011-08-24 7:35 ` Re: Jan Engelhardt
2011-08-24 8:19 ` Re: Tyler J. Wagner
2008-03-07 8:06 (unknown) Alberto Díez
2008-03-07 9:43 ` Rob Sterenborg
2008-01-03 21:57 (unknown), Joe Ruddy
2008-01-03 22:22 ` Martijn Lievaart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48E84D36.20206@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox