[Server-devel] Question on number of iptables rules
Jerry Vonau
jvonau at shaw.ca
Wed Feb 2 12:37:55 EST 2011
On Wed, 2011-02-02 at 08:24 -0700, Martin Langhoff wrote:
> On Tue, Feb 1, 2011 at 6:28 PM, Anna <aschoolf at gmail.com> wrote:
> > My test XS at home has a FQDN and is open to the outside. Therefore this is
> > probably a pretty rare issue in XS land, but I thought I'd ask.
>
> In general, I'd keep it closed. It's not designed as a full internet server.
>
> > Getting them into /etc/sysconfig/olpc-scripts/iptables-xs is easy enough. I
> > pasted the IP data into a file named banned_ips.txt and ran this little
> > script:
> >
> > #!/bin/bash
> > for i in $(< banned_ips.txt); do
> > iptables -A INPUT -s "$i" -j DROP
> > done
>
> You could do the same from the init script even.
>
> > Here's my question - is the XS networking going to get wonky with 894 extra
> > iptables rules?
>
> Short answer - no.
>
> Slightly longer: no, but if the list grows and starts to cost you in
> network perf, might be worth looking at ipset
> http://www.netfilter.org/projects/ipset/index.html
>
> cheers,
Not easy with Fedora, you need to patch the kernel and iptables to get
ipsets. https://bugzilla.redhat.com/show_bug.cgi?id=196234
Jerry
More information about the Server-devel
mailing list