Re: loading huge number of rules in iptables (blocklist)
On Wed, 2007-03-21 at 12:09 -0400, H.S. wrote:
> Ron Johnson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 03/21/07 10:52, H.S. wrote:
> >> H.S. wrote:
> >>
> >>> Now, currently, there are around 151,000 ipranges listed in level1.gz
> >>> to block. So the above function's loop goes over these many times
> >>> inserting the rules for each range. And this is taking huge amount of
> >>> time: in over 50 minutes, only around 12% rules have been loaded on my
> >>> router running Etch (Pentium III, 449MHz, 380 MB RAM).
> >>>
> >>> How can I speed this up? Advice?
> >>>
> >>> thanks,
> >>> ->HS
> >>
> >>
> >> Anyone ... ?
> >
> > That's a whole lotta rules. I'm not surprised that iptables doesn't
> > scale that well.
>
> Yes. The experiment shows that this is not going well. I was wondering
> if there are any alternatives. I currently have around 80,000 rules now
> inserted, and the process is still continuing more than 17 hours later!
> However, my internet connection seems to be holding up without any
> noticeable performance cut so far.
Have you tried to use networks versus individual IPs?
I blocked well over 1.8M IPs this way with IPTABLES.
It is a lot of work to get setup initially it works relatively well.
I want you to know, there are a serious number of Chinese, Taiwan,
Korean and other networks where about 50% of spam and probes and
scripted attacks come from. I just defined the "AN" numbers and used
them.
--
greg, greg@gregfolkert.net
Novell's Directory Services is a competitive product to Microsoft's
Active Directory in much the same way that the Saturn V is a competitive
product to those dinky little model rockets that kids light off down at
the playfield. -- Thane Walkup
Reply to: