U.Mutlu wrote, On 10/18/2012 04:04 AM:
I solved the problem in 2 steps, in that order:
drop all packets to unwanted dest ip's
drop all packets from unwanted cc's
If the IP's are consecutive then one can use a the range option of iptables, like this:
iptables -A INPUT -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP
Ie.:
iptables -A INPUT -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP
...
iptables -A INPUT -m geoip --src-cc CN -j DROP
...
Correction: since all packets to non-local IP's go thru the FORWARD chain
the above example must be changed to:
iptables -A FORWARD -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP
U.Mutlu wrote, On 10/18/2012 03:29 AM:
Subtitle: [xtables geoip] rules not applied to packets for non-configured IP's
Hi,
from the router link (just 1 link) I'm getting traffic for multiple IP's
(a quasi multihomed system, actually a host node and multiple virtual systems therein),
that's correct so, but is there a way to drop all packets to IP's
that are actually not configured on the local system?
Is there a better way than writing a drop/reject-rule for each such IP?
And related to this, I think there is a bug in xtables geoip
because if there is a packet for such a not-configured IP
then the iptables rules (at least geoip rules) aren't applied to such packets.
How to fix this?
...because they go thru the FORWARD chain, not the INPUT chain!... :-)
Problem solved.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
