Path: csiph.com!usenet.pasdenom.info!news.albasani.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: Max number of iptable rules?
Date: Sat, 25 May 2013 10:10:06 +0200
Lines: 39
Message-ID: <mr-9F09EF.10100625052013@News.Individual.NET>
References: <mr-E9D8F4.21453924052013@News.Individual.NET> <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net ZX8hTxee1WdECh3pY4ohfAkvJwsV40NS67Woonrpw1gGnTLv4=
X-Orig-Path: mr
Cancel-Lock: sha1:8gxoysK6Jz1XepKwDT0VWHl6Iic=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, Nasht.n, NRen2, MuahMan, weedhopper, PC Guy, Brian, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, zara, Chance Furlong, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2169 comp.os.linux.security:324 comp.infosystems.www.servers.unix:206

In article <878v33qyr1.fsf@araminta.anjou.terraraq.org.uk>,
 Richard Kettlewell <rjk@greenend.org.uk> wrote:

> > The man page doesn't seem to say. I saw something that suggested that
> > it may have maxed out at about 5000 rules, could that be true?
> 
> Don’t know, but a linear search for every packet isn’t going to be very
> efficient...

Of course not. It's idiotic. But currently, it's the only method I 
have found that is actually working. :)

> > I'm adding them as I find them in the log files, and there are 
> > thousands of hosts... 
> 
> You could use an ipset containing all the problem addresses instead of a
> rule for each address.  See ‘man ipset’ and look for ‘ipset’ in ‘man
> iptables’ for details.  (I’ve not tried this myself..)

I don't have ipset installed, and it's a kernel module and this is a 
production server, so I won't be starting to compile kernels on it 
unless it was my only option.

The server is running Linux Debian 6.0.7 with the 2.6.32-5-amd64 
kernel.

IT's been a long time since I compiled a kernel, and apt-get has ipset 
and ipset-source, and I've never even compiled an apt-get source 
package (but I obviously have compiled millions of downloaded source 
packages).

ipset would be a solution for me, it seems, but as it seems, 
opennet.se may be the culprit here, and my first step (monday) should 
be to contact them and have them fix their DNS. 



-- 
Sandman[.net]