[ale] Easy way to add and delete iptables rules

Alex Carver agcarver+ale at acarver.net
Tue Aug 30 00:43:23 EDT 2016


On 2016-08-29 18:12, Chris Fowler wrote:
> 
> 
> --------------------------------------------------------------------------------
> 
>     *From: *"James Sumners" <james.sumners at gmail.com>
>     *To: *"Atlanta Linux Enthusiasts" <ale at ale.org>
>     *Sent: *Friday, August 26, 2016 10:01:57 AM
>     *Subject: *Re: [ale] Easy way to add and delete iptables rules
> 
> 
>     On Fri, Aug 26, 2016 at 9:56 AM, Chris Fowler <cfowler at outpostsentinel.com
>     <mailto:cfowler at outpostsentinel.com>> wrote:
> 
> 
>         My hope was that I can simply create a table for each kid and just add
>         and delete with ease.  If I need to list line numbers, parse it out, and
>         do it that way I can do that too.  I hesitate because I'm not sure that
>         way is the "pest practice".
> 
> 
>     Use `ipset` like Alex Carver suggested. It's spiffy --
>     http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset
> 
> 
> Yea,  new stuff.  Did not know about it.
> 

Works well.  Because it's a hash table lookups on it are very fast.  I
use it on my mail server to block out spammy domains.  There's only one
rule in iptables to match on an ipset and the ipset takes care of the
actual lookups.  Before ipset I had an iptables rule per domain and the
firewall throughput wasn't quite as good (hundreds of rules).  Stripping
them all out and dropping them into an ipset hash table took out the
bottleneck.



More information about the Ale mailing list