[Gllug] iptables with 1000s of IP addresses
Anthony Newman
anthony.newman at ossified.net
Sun Dec 28 18:20:50 UTC 2008
Richard Jones wrote:
> At the moment, iptables seems to be handling all of this OK, but ...
>
> Can I measure the overhead?
I'd flippantly suggest looking at the output of top(1). If you're not
running out of memory or processor time, there's no problem. At the rate
you're adding entries, it seems unlikely to become a sudden problem.
Cursory Googling suggests that you're not likely to have a problem ever
really, although I assume you're not already handling large amounts of
bandwidth or PPS.
> Are there more efficient solutions? I've heard about nfqueue, but has
> anyone used it? It seems like it would be quite inefficient because
> it involves a transition to userspace and back to the kernel for each
> incoming packet.
>
> Rich.
>
> PS. I will be publishing the list of IP addresses shortly, along with
> the comment spam that was attempted and the date/time of the attempts,
> so that others can study and use them.
>
If you wished to partake, there's DroneBL (http://www.dronebl.org/)
which already maintains a list of queryable known-abusive addresses, to
which you can also in turn contribute. YMMV of course.
Ant
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list