[Gllug] iptables with 1000s of IP addresses

[Richard Jones]

I've been slowly adding the IP addresses of people who (try to) add
comment spam to my sites to a big IP drop list.  Currently each IP in
the list is just added to a DROP rule in the INPUT table.

The list hit the 1000 mark recently (in fact, 1221 addresses right
now) and is growing at ~ 50 new addresses / day.

At the moment, iptables seems to be handling all of this OK, but ...

Can I measure the overhead?

Are there more efficient solutions?  I've heard about nfqueue, but has
anyone used it?  It seems like it would be quite inefficient because
it involves a transition to userspace and back to the kernel for each
incoming packet.

Rich.

PS. I will be publishing the list of IP addresses shortly, along with
the comment spam that was attempted and the date/time of the attempts,
so that others can study and use them.

-- 
Richard Jones
Red Hat
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug