--- Frank Wiles wrote:
I have about half of the addresses blocked, but what is the impact of adding 150 ip addresses to iptables with potentially hundreds more over time? At what point will iptables eat up all my bandwidth in blocking addresses?
Thanks everyone for the suggestions.
Brian D.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Sun, 1 May 2005, Jack wrote:
Well, iptables doesn't really eat up your bandwidth - the guys trying to connect to your box is what is wasting the bandwidth. The worst iptables can do is eat up processor cycles filtering connections to your box. I have seen machines with hundreds of iptables rules that operate with no issues at all. It works in the kernel space so it can be very efficient.
You probably do not want to permanently deny any address. I believe you can use an automated daemon like portsentry to dynamically add addresses to iptables and after a period of time have that address removed.
//========================================================\ || D. Hageman dhageman@dracken.com || \========================================================//
On Sun, 1 May 2005 20:27:02 -0700 (PDT) Jack quiet_celt@yahoo.com wrote:
Just to add to what Dave said...
I have a production server that is fairly low end hardware that currently has 2952 iptables rules that block individual IPs, several /24 networks, and a handful of /16s. There is no noticeble impact on the box.
--------------------------------- Frank Wiles frank@wiles.org http://www.wiles.org ---------------------------------