Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #324

Re: Max number of iptable rules?

From Sandman <mr@sandman.net>
Newsgroups comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix
Subject Re: Max number of iptable rules?
Date 2013-05-25 10:10 +0200
Message-ID <mr-9F09EF.10100625052013@News.Individual.NET> (permalink)
References <mr-E9D8F4.21453924052013@News.Individual.NET> <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk>

Cross-posted to 3 groups.

Show all headers | View raw

In article <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> > The man page doesn't seem to say. I saw something that suggested that
> > it may have maxed out at about 5000 rules, could that be true?
> 
> Don’t know, but a linear search for every packet isn’t going to be very
> efficient...

Of course not. It's idiotic. But currently, it's the only method I 
have found that is actually working. :)

> > I'm adding them as I find them in the log files, and there are 
> > thousands of hosts... 
> 
> You could use an ipset containing all the problem addresses instead of a
> rule for each address.  See ‘man ipset’ and look for ‘ipset’ in ‘man
> iptables’ for details.  (I’ve not tried this myself..)

I don't have ipset installed, and it's a kernel module and this is a 
production server, so I won't be starting to compile kernels on it 
unless it was my only option.

The server is running Linux Debian 6.0.7 with the 2.6.32-5-amd64 
kernel.

IT's been a long time since I compiled a kernel, and apt-get has ipset 
and ipset-source, and I've never even compiled an apt-get source 
package (but I obviously have compiled millions of downloaded source 
packages).

ipset would be a solution for me, it seems, but as it seems, 
opennet.se may be the culprit here, and my first step (monday) should 
be to contact them and have them fix their DNS. 



-- 
Sandman[.net]

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Max number of iptable rules? Sandman <mr@sandman.net> - 2013-05-24 21:45 +0200
  Re: Max number of iptable rules? Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:56 +0100
    Re: Max number of iptable rules? Sandman <mr@sandman.net> - 2013-05-25 10:10 +0200
      Re: Max number of iptable rules? buck <buck@private.mil> - 2013-05-25 17:06 +0000

csiph-web