On Fri, Dec 26, 2008 at 03:27:31PM -0500, Bharath Ramesh wrote: > I am running debian amd64 and wondering what would be to integrate a > block list and iptables. I am thinking of using block lists similar to > this http://list.iblocklist.com/?list=bt_spyware. When I tried importing > one such block list after parsing it with the script list below I get > the following error "iptables: memory allocation problem" > > BLOCKLIST="/etc/blocklist.gz" > IPTABLES="/sbin/iptables" > SED="/bin/sed" > > while read line > do > ip_range=`echo -n $line | $SED -e 's/.*:\(.*\)-\(.*\)/\1-\2/'`; > $IPTABLES --append INPUT --match iprange --src-range $ip_range > --jump DROP > $IPTABLES --append OUTPUT --match iprange --dst-range $ip_range > --jump DROP > done < <(zcat ${BLOCKLIST} | iconv -f latin1 -t utf-8 - | dos2unix) how big is the list ? and why not use network addresses instead of ranges ? -s 192.168.0.0/24 instead of --dst-range 192.168.0.1-192.168.0.255 > > > > I feel that this because of the large number of rules that are being > created. My question would be what would be a good way to block large > number of ip ranges with iptables. > > Thanks, > > Bharath > > > -- > To UNSUBSCRIBE, email to debian-amd64-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > -- The old shaman said carefully, "You didn't just see two men go through upside down on a broomstick, shouting and screaming at each other, did you?" The boy looked at him levelly. "Certainly not," he said. The old man heaved a sigh of relief. "Thank goodness for that," he said. "Neither did I." -- Rincewind and Twoflower take up broomstick flying (Terry Pratchett, The Light Fantastic)
Attachment:
signature.asc
Description: Digital signature