> On Sun, 05 Oct 2008 00:14:30 -0500, Grant Taylor > <gtaylor@xxxxxxxxxxxxxxxxx> wrote: > > >I don't know for sure what the GeoIP match extension will do if the IP > >is not in the database. I would expect the match to fail. However with > >inverse logic included I'd guess that the failure would turn in to a > >success. But with out testing, this is only a guess. > > > >I would be tempted to re-write your rule like this > > > > iptables -A INPUT ! -m geoip --src-cc [country] -j ACCEPT > >The difference being that you are moving the negative logic out of an > >unpredictable failure situation (GeoIP not knowing where the IP is from) > >to a controlled situation (IPTables inverting the result of a match > >extension). Ah, I see. So simple but so great. Thank you. > >Further, the GeoIP match extension should only return a successful match > >/if/ the source IP is in said source country. Rather GeoIP will not > >match if the IP is included in the database but not associated with said > >country. Likewise GeoIP should not success on an unknown IP because it > >could not make a match. Good to know. That is exactly what I was wondering about. > Looking at the source, geoip is very careful to make sure the IP is > within a particular IP block to return match, so it should > return no match for missing IP. The maxmind database is sparse, as > not all IPs appear within it. Maxmind write on their homepage the free database, while containing subnets, is right in 99.3 % of the cases, excluding AOL-users, which always are reported as US. I think this, if it is true, is sufficient for me, as long as unknown users are avoided. Thanks guys. Regards, Sebastian -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
