I solved the problem in 2 steps, in that order: drop all packets to unwanted dest ip's drop all packets from unwanted cc's If the IP's are consecutive then one can use a the range option of iptables, like this: iptables -A INPUT -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP Ie.: iptables -A INPUT -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP ... iptables -A INPUT -m geoip --src-cc CN -j DROP ... U.Mutlu wrote, On 10/18/2012 03:29 AM:
Subtitle: [xtables geoip] rules not applied to packets for non-configured IP's Hi, from the router link (just 1 link) I'm getting traffic for multiple IP's (a quasi multihomed system, actually a host node and multiple virtual systems therein), that's correct so, but is there a way to drop all packets to IP's that are actually not configured on the local system? Is there a better way than writing a drop/reject-rule for each such IP? And related to this, I think there is a bug in xtables geoip because if there is a packet for such a not-configured IP then the iptables rules (at least geoip rules) aren't applied to such packets. How to fix this? Confirmation, fixes and workarounds welcome. Thx.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
