[Server-devel] Question on number of iptables rules
Martin Langhoff
martin.langhoff at gmail.com
Wed Feb 2 10:24:54 EST 2011
On Tue, Feb 1, 2011 at 6:28 PM, Anna <aschoolf at gmail.com> wrote:
> My test XS at home has a FQDN and is open to the outside. Therefore this is
> probably a pretty rare issue in XS land, but I thought I'd ask.
In general, I'd keep it closed. It's not designed as a full internet server.
> Getting them into /etc/sysconfig/olpc-scripts/iptables-xs is easy enough. I
> pasted the IP data into a file named banned_ips.txt and ran this little
> script:
>
> #!/bin/bash
> for i in $(< banned_ips.txt); do
> iptables -A INPUT -s "$i" -j DROP
> done
You could do the same from the init script even.
> Here's my question - is the XS networking going to get wonky with 894 extra
> iptables rules?
Short answer - no.
Slightly longer: no, but if the list grows and starts to cost you in
network perf, might be worth looking at ipset
http://www.netfilter.org/projects/ipset/index.html
cheers,
m
--
martin.langhoff at gmail.com
martin at laptop.org -- Software Architect - OLPC
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
More information about the Server-devel
mailing list