>> > I need to keep out all connection from 5 countries, which originate >> > most of the Denial of Service attacks. The entries are around 9000 if >> > used as xx.xx.0.0/16. I heard that there is a smarter way to do this >> > by using User Tables in iptables, that will keep the speed equal to >> > LOG(x). I already tried using a straight list and it kills the box.
Yeah, it would - running through 9000 separate rules for each packet would be prohibitive. >> > Unless a smarter way us found, there is no way to use iptables. Ideally, what you'd want to do is to somehow "pre-load" one of the really efficient matching modules in iptables (e.g. a hash table) with a list of the network numbers in question, and then be able to do a fast hashed lookup using each incoming packet's upper 16 bits... a hit in the table would indicate a reject, a miss would mean that the packet was OK for further inspection and processing. It looks to me as if there *is* a way to do this, but may require adding an iptables/netfilter module that is not part of the standard distribution. It's called the "set" module. Take a look at http://ipset.netfilter.org/ and I think you'll like what you see... it'll do what you want. Briefly, you'll need to: - Build this module for your kernel, and load it - Use the "ipset" command to create an IP-address set, and populate it with the 9000 different /16 entries you want to match against. I think the "ipmap" type is what you would want, as this can store up to 65536 entries and uses a single bit for each same-sized address range... lookup time would be constant. "iphash" is another possibility. - Use a single "iptables" rule to match incoming packets against this set. > iptables is just a user-space configuration interface to the Linux > kernel netfilter. The netfilter uses complex hash tables and other data > structures to ensure that packet forwarding rules are looked up in as > close to O(1) as possible, not even LOG(n)--LOG(n) would be way too > expensive. > > Other than conventional Cisco router access lists (notwithstanding > compiled lists an TurboACL), I don't know of any other packet filter in > the universe that does not do similarly. No packet filter would apply a > flat list, not the Linux netfilter, not the BSD packet filter, not even > Windows. The trick is using the right filtering approach. Doing it the naive way (one separate iptables rule per /16) would indeed kill the system's performance pretty badly. The right approach which will work, is one which can match incoming addresses against a complex set of yes/no criteria in constant or near-constant time. I don't believe that the standard "iptables" distribution contains a module which can do this... but the "ipset" extension module can, and is probably what the original poster wants. I may have to play around with this approach myself. Federico, do you mind if I ask which countries you're blocking, and which source you used to locate the /16 blocks in question? -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users