[Gllug] iptables with 1000s of IP addresses

Alain Williams addw at phcomp.co.uk
Sun Dec 28 20:19:27 UTC 2008


On Sun, Dec 28, 2008 at 05:51:25PM +0000, Richard Jones wrote:
> I've been slowly adding the IP addresses of people who (try to) add
> comment spam to my sites to a big IP drop list.  Currently each IP in
> the list is just added to a DROP rule in the INPUT table.
> 
> The list hit the 1000 mark recently (in fact, 1221 addresses right
> now) and is growing at ~ 50 new addresses / day.
> 
> At the moment, iptables seems to be handling all of this OK, but ...
> 
> Can I measure the overhead?
> 
> Are there more efficient solutions?  I've heard about nfqueue, but has
> anyone used it?  It seems like it would be quite inefficient because
> it involves a transition to userspace and back to the kernel for each
> incoming packet.


1) Only apply the test to new connections, ie accept packets that are part of established connections,
   so close to the start put:
	# Continue existing connections - this means that the other TCP rules relate to new connections:
	iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -p tcp ! --syn -j ACCEPT

2) Your machine is presumably doing things other than handle http, you don't want new connections for
   these services to be tested against all the entries in the drop list, so put them into a table
   that is only checked for http:

	iptables -N In_http
	iptables -A In_http -s DropEntry1 -j DROP
	...
	iptables -A In_http -j ACCEPT

	iptables -A INPUT -p TCP --dport http -j In_http

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list