[ale] iptables limits?

James P. Kinney III jkinney at localnetsolutions.com
Fri Jun 3 00:39:34 EDT 2005 

On Thu, 2005-06-02 at 19:24 -0400, Jim Popovitch wrote:
> On Thu, 2005-06-02 at 19:01 -0400, James P. Kinney III wrote:
> > On Thu, 2005-06-02 at 17:04 -0400, Jim Popovitch wrote:
> > > Are there any known limits to the number of rules in iptables?  I
> > > currently have about 27000+ rules, with no noticeable issues.  What's
> > > the upper limit, if there is any, and what are the limiting factors?
> > 
> > 27000+ !!
> > 
> > You need to get out more and see the big blue room :)
> 
> Let me be a bit clearer... I use a 50+ line script to generate those
> rules.  No way that I am going to write 27000+ lines of 90% the same
> thing.  ;-)

I was just thinking that a nice addition to iptables would be the
ability to pull in an external file of address:ports to allow/block.
Something like:

iptables -I INPUT -s @fileofbadpeopleips -j DROP

and have it resolve that file into a single rule with multiple matches.
A big OR list of addresses.


Hmm. Time to write Rusty.

While I'm at it, I'll put in the request for a -name flag. Having rules
(some at least) named make modifying that one rule easier. 
<run script to update bozo list from apache log>
iptables -D INPUT -name "bozo web list"
iptables -I INPUT -name "bozo web list" -s @bozoweblist -j DROP

Of course, I would also like to see a new target: -j FLOG
It sends the IP address to a userspace app that finds the lat/long of
the moron and sends in a small mob of drunken sailors with an attitude
problem...

> 
> 
> > Ram is the only limit I have seen in the kernel specs on it. For most
> > modern systems that are mostly dedicated to firewalling, the wire speed
> > will always be the limiting factor. The iptables process (barring
> > strange loops that are VERY BAD) is a quite streamlined, multi-threaded
> > process. I do know that performance can suffer if rule ordering is poor
> > and every packet is forced through every table. I get pretty good
> > results with a table for each protocol/port that is allowed that nees
> > further filtering to block out bozo's (morons doing ssh scans should get
> > blocked on all ports as they are up to no good)
> 
> Thanks,
> 
> -Jim P.
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list