IPTables limits?

Karl Pearson karlp at ourldsfamily.com
Tue Oct 21 17:34:02 UTC 2008 

On Tue, October 21, 2008 11:16 am, Rick Stevens wrote:
> Karl Pearson wrote:
>> I'm curious if there's a limit on how many iptables entries it takes
>> to
>> hammer a system. Okay, a better question: When am I running the risk
>> of
>> messing up my IP traffic if I add DROP entries in the INPUT rule of
>> iptables?
>
> You do ask the damndest questions, Karl!  :-)
>
> I've never seen a document that describes any rule limits.  It is a
> kernel module, so one must assume there is some limit.  It may be that
> a spelunking sesion through the source might answer that.
>
> I've got lots of drop entries on my rules and haven't had any issues,
> but I'm always guided by the concept that the more rules a packet must
> traverse, the slower the connection will be at startup.  Therefore I
> order my rules carefully putting the more generic rules at the top of
> the list and the more specific ones at the bottom.  That may not work
> for you...every network is a little different (for example, we blacklist
> entire /8 networks in some cases because of DOS or hack attacks from
> those countries).

I'd love a list of those IPs and how you inserted the rule. I also
wonder about DROP vs REJECT. I know the difference, but what's the
theory behind using one over the other? I have thought it is about them
knowing the IP is there vs just a hang. But, I'm wondering if the DROP
(hang) causes me any headaches in IP traffic limiting? I know, another
annoying question.

All my DROPs are in the first rule, so they are immediately acted on, or
in this case, DROPped.

I used to use sshblack, but the way the logfiles are written now make it
ineffective for inbound, however I wrote my own blacklist scripts which
I use with it, so it does do aging checks, which for DDNS is okay, I
think.

I have installed fail2ban, which blacklists for a shorter amount of
time, I suspect under the theory that ssh attacks are almost random, and
will pass.

>
>> The machine in question acts as a small gateway for one subnet behind
>> a
>> Smoothwall 3.0 gateway that is the gateway for it and the rest of the
>> network.
>>
>> The machine is a single core AMD 64 3200+ with 2GB of ram running
>> 32-bit
>> Fedora 8.

I suspected it might be okay, but since my desktop is a quad-core with
2GB of ram and 32-bit (Linux Mint on it) I wondered if it would have
enough horse power to keep the iptables rules happy.

Karl

>
> Should have plenty of headroom to do what you want with that.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                      ricks at nerd.com -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> -            The gene pool could use a little chlorine.              -
> ----------------------------------------------------------------------
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>


---
      _/  _/      _/      _/_/_/       ____________   __o
     _/ _/       _/      _/    _/     ____________  _-\\<._
    _/_/        _/      _/_/_/                     (_)/ (_)
   _/ _/       _/      _/           ......................
  _/   _/ arl _/_/_/  _/ earson    KarlP at ourldsfamily.com
---
http://consulting.ourldsfamily.com
---
"To mess up your Linux PC, you have to really work at it;
 to mess up a microsoft PC you just have to work on it."
---

More information about the Redhat-install-list mailing list