Results 1 to 8 of 8
  1. #1
    Join Date
    Jan 2005
    Posts
    483

    How many IPs can I add to IPtables ?

    Hello ,

    I need to block about 5000 IPs .. Is it possible to add this amount of IPs to iptables ?
    I mean ... Will this slow down the machine response ?

  2. #2
    Join Date
    Jan 2008
    Location
    India
    Posts
    287

  3. #3
    The amount of rules that you add on the firewall will affect server performance of course, because each packet that arrives to your server will be compared by linux kernel with every firewall rule. But there is some performace tips for that process.

    there is no theoretical limitation for put 5000 rules on linux, but to filter by using another criteria like subnets as servertechs mentioned is more efficient.

    Best regards,
    http://creawebsolutions.com
    Server Management & Web Security.

  4. #4
    Join Date
    Jan 2005
    Posts
    483
    IPs are various single IPs.

    Quote Originally Posted by creaws View Post
    But there is some performace tips for that process.
    What Tips you can suggest ?

  5. #5
    Some tips are:

    - firewall by subnets,
    - sort firewall rules according to marching chance, most matched rules before others.
    - compile kernel with iptables built in, not as a module.
    - erease logging rules (not recommended if you need auditing, but improve the performance)

    Best regards, Creaws.
    http://creawebsolutions.com
    Server Management & Web Security.

  6. #6
    Join Date
    Jan 2005
    Posts
    483
    Thanx creaws for tips, These IPs seems to be dedicated servers.

    I have a list. I wonder if is there any utility that can generate optimized subnets for list of IPs... so I'll not bann "good" users

  7. #7
    Join Date
    Aug 2004
    Location
    London
    Posts
    883
    I suspect this will hit your CPU a fair bit.

    Firewalls sort through the list sequencally for a match to the rule before permitting or denying.

    If you have this

    Deny 1.1.1.1
    Deny 2.2.2.2
    Deny 3.3.3.3
    Permit any

    You see the packet from 4.4.4.4 has had to go through 3 rules before being permitted. Unless the 5000 can be grouped to a small ammount of subnets I would be very careful implementing that. This is a simplefied example but you see the point.
    ...loading

  8. #8
    Join Date
    Aug 2002
    Location
    Atlanta, GA
    Posts
    1,114
    We tested something like this. It becomes a management nightmare. Also, if you have to reboot the server it may take a significant amount of time of the server to come back up.
    SiteSouth
    Atlanta, GA and Las Vegas, NV. Colocation

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •