Re: Optimizing Kernel for huge iptables ruleset
On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote:
> Two iptables rulesets:
> The first 'normal' ruleset is pretty restrictive against connetions from
> the outside, more or less open towards connections opened from the LAN.
> The second ruleset inserted after the first is a huge IP blacklist
> (1.4MB iptables script!) that takes nearly half an hour to be inserted
> into the running ruleset.
There has to be a better way to do this, however -
Make sure your list's rules are only checking against SYN packets
Allow non SYN before your list checking chain.
This way only new connections will be compared against your massive list
not every packet.