Ah, you solved your problem while I was writing my reply below. I'll leave it for posterity.
15,000 rules would almost certainly impose some performance hit; the most rules I have on any machine I manage is about 900. They're on a dual-Xeon box though and have minimal effect. That said, iptables seems remarkably efficient for what it does with every packet entering or leaving the machine. Empirical research makes the most sense here. Impose the rules for a day or two and see if you can detect any difference.
Originally Posted by
sandyd
It will, likely - iptables will have to look through all of those addresses each time a connection is incoming into the computer.
That's a good point. I'm usually running publicly-visible servers, so I'm generally concerned about managing inbound traffic. On a firewall handling requests from LAN users, those 15,000 rules need not be consulted very often if you are careful about how you order your rules.
Rules that block inbound traffic should generally come after rules that exempt obviously permitted traffic like that originating on the LAN or sent in reply to requests from LAN users like web pages. I usually make sure to place the rule
Code:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
right after the initial rule permitting the localhost interface. That insures that no time is wasted scanning the reply traffic with other rules. Right after that should be any rules that permit traffic from known hosts or addresses like the internal network. Only then should you add the rules that pertain to inbound traffic.
Original response:
I take it you're running the script called "ban" in the thread you referenced? Let's try a simpler approach first:
Code:
#!/bin/bash
BAN_LIST=/path/to/list.txt
for addr in $(cat BAN_LIST)
do
echo "Blocking $addr"
/sbin/iptables -I INPUT -i eth0 -s $addr -j REJECT
done
All this does is read every line in list.txt and inserts (-I) a blocking rule in iptables at the top of the ruleset. This will place these rules ahead of any other rules you may already have that apply to the INPUT chain. It will also report each address before it inserts the rule. Create a file with these commands, mark it executable ("chmod a+x /path/to/program_file"), then run it. (Use "./program_file" if you are currently in the same directory as the program script.) What happens?
Bookmarks