[Server-devel] Question on number of iptables rules
Anna
aschoolf at gmail.com
Tue Feb 1 20:28:56 EST 2011
My test XS at home has a FQDN and is open to the outside. Therefore this is
probably a pretty rare issue in XS land, but I thought I'd ask.
I noticed my "ambient" rx/tx traffic on eth0 had gone from really low (like
0.1 to 0.7 kB/s) to hovering between 5-20 kB/s. I went through httpd's
access_log and error_log and blocked a bunch of IPs that looked kinda
sketchy. Chinese and Russian search engine bots, script kiddies looking for
phpmyadmin, that kinda stuff.
Of course, I do have robots.txt disallowing all user agents, but we know
that's not always respected.
Then I thought, rather than play whack-a-mole with individual IPs, I'll just
block China and Russia altogether. However, that brings up another
question. Between China:
http://www.wizcrafts.net/chinese-iptables-blocklist.html and Russia:
http://www.wizcrafts.net/russian-iptables-blocklist.html that's a ton of IP
addresses.
Getting them into /etc/sysconfig/olpc-scripts/iptables-xs is easy enough. I
pasted the IP data into a file named banned_ips.txt and ran this little
script:
#!/bin/bash
for i in $(< banned_ips.txt); do
iptables -A INPUT -s "$i" -j DROP
done
I didn't mess with iptables-xs.in, as I figured I might need to update
and/or straighten stuff out and a simple IP list is a lot easier to
manipulate. Of course, restarting iptables reloads iptables-xs.in and the
block list is gone from iptables-xs. No big deal, as the above script just
takes a couple seconds to run and they're back in there.
Here's my question - is the XS networking going to get wonky with 894 extra
iptables rules? I know every incoming connection has to be checked against
it, so what's the max count of rules that's a good idea? And is there a
better way to handle this?
Anna Schoolfield
Birmingham
P.S. After blocking all these IPs, my ambient traffic has gone back down to
normal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20110201/67c90b9e/attachment.htm
More information about the Server-devel
mailing list