[Gllug] iptables with 1000s of IP addresses

[damion.yates at gmail.com]

On Sun, 28 Dec 2008, Dan Kolb wrote:

> On Sun, Dec 28, 2008 at 05:51:25PM +0000, Richard Jones wrote:
> > I've been slowly adding the IP addresses of people who (try to) add
> > comment spam to my sites to a big IP drop list.  Currently each IP
> > in the list is just added to a DROP rule in the INPUT table.
> > 
> > The list hit the 1000 mark recently (in fact, 1221 addresses right
> > now) and is growing at ~ 50 new addresses / day.
> > 
> > Are there more efficient solutions?  I've heard about nfqueue, but
> > has anyone used it?  It seems like it would be quite inefficient
> > because it involves a transition to userspace and back to the kernel
> > for each incoming packet.
> 
> Would it not be more efficient to use netblocks, rather than
> individual IP addresses?

A couple of years ago I worked somewhere that took quova data grouped to
better netblocks* and fed in to iptables to permit uk-only access to the
content we were streaming. Even in netblocks this was 90k lines, we saw
no slow down on these servers.  The solaris boxes used ipf and that took
minutes to load the data but was otherwise okay.

Damion

*This wasn't just poor data on their part, these were considered
distinct entities, even if they were contigious.  So 200.200.0.0/24
and 200.200.1.0/24 compact to 200.200.0.0/23 but could be different UK
companies.  There were plenty of holes, which were almost certainly
inallocated chunks destined to be UK allocated, but we couldn't make
that assumption and 90k iptables rules seemed to work fine.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug