[Gllug] iptables with 1000s of IP addresses
Dan Kolb
gllug at eco.li
Sun Dec 28 18:05:30 UTC 2008
On Sun, Dec 28, 2008 at 05:51:25PM +0000, Richard Jones wrote:
> I've been slowly adding the IP addresses of people who (try to) add
> comment spam to my sites to a big IP drop list. Currently each IP in
> the list is just added to a DROP rule in the INPUT table.
>
> The list hit the 1000 mark recently (in fact, 1221 addresses right
> now) and is growing at ~ 50 new addresses / day.
>
> Are there more efficient solutions? I've heard about nfqueue, but has
> anyone used it? It seems like it would be quite inefficient because
> it involves a transition to userspace and back to the kernel for each
> incoming packet.
Would it not be more efficient to use netblocks, rather than individual IP
addresses?
Dan
--
Honesty is the best policy, but insanity is a better defense.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list