On Fri, Dec 26, 2008 at 03:27:31PM -0500, Bharath Ramesh wrote:
> I am running debian amd64 and wondering what would be to integrate a
> block list and iptables. I am thinking of using block lists similar to
> this http://list.iblocklist.com/?list=bt_spyware. When I tried importing
> one such block list after parsing it with the script list below I get
> the following error "iptables: memory allocation problem"
>
> BLOCKLIST="/etc/blocklist.gz"
> IPTABLES="/sbin/iptables"
> SED="/bin/sed"
>
> while read line
> do
> ip_range=`echo -n $line | $SED -e 's/.*:\(.*\)-\(.*\)/\1-\2/'`;
> $IPTABLES --append INPUT --match iprange --src-range $ip_range
> --jump DROP
> $IPTABLES --append OUTPUT --match iprange --dst-range $ip_range
> --jump DROP
> done < <(zcat ${BLOCKLIST} | iconv -f latin1 -t utf-8 - | dos2unix)
how big is the list ? and why not use network addresses instead of
ranges ?
-s 192.168.0.0/24 instead of --dst-range 192.168.0.1-192.168.0.255
>
>
>
> I feel that this because of the large number of rules that are being
> created. My question would be what would be a good way to block large
> number of ip ranges with iptables.
>
> Thanks,
>
> Bharath
>
>
> --
> To UNSUBSCRIBE, email to debian-amd64-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
The old shaman said carefully, "You didn't just see two men go through
upside down on a broomstick, shouting and screaming at each other, did
you?" The boy looked at him levelly. "Certainly not," he said. The old man
heaved a sigh of relief. "Thank goodness for that," he said. "Neither did I."
-- Rincewind and Twoflower take up broomstick flying
(Terry Pratchett, The Light Fantastic)
Attachment:
signature.asc
Description: Digital signature