[Gllug] iptables with 1000s of IP addresses
Richard Jones
rich at annexia.org
Sun Dec 28 21:15:34 UTC 2008
On Sun, Dec 28, 2008 at 08:19:27PM +0000, Alain Williams wrote:
> 1) Only apply the test to new connections, ie accept packets that are part of established connections,
> so close to the start put:
> # Continue existing connections - this means that the other TCP rules relate to new connections:
> iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp ! --syn -j ACCEPT
Thanks. I just checked my script and I had this rule already, but it
was *after* the blackholes. So I moved it to before.
> 2) Your machine is presumably doing things other than handle http, you don't want new connections for
> these services to be tested against all the entries in the drop list, so put them into a table
> that is only checked for http:
In this particular case, I think I'm happier knowing that if an IP
address was added to the blacklist for one reason (eg. HTTP comment
spam) then that IP is blocked from everything. The reason is that I
suspect that once a machine has been subverted into a botnet, it
becomes (or could potentially become) a multi-purpose tool for various
nefariousness. Anyhow, I don't want to talk to it any longer.
Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list