On Sat, Sep 06, 2003 at 08:30:30PM -0700, Gordon Messmer wrote: > Res wrote: > >On Wed, 3 Sep 2003, David Hart wrote: > > > >>I've about had it with attacks to our web server emanating from certain > >>geographical areas. This is not a display of Xenophobia. I have never > >>really used IPT. > >> > >>It takes about 4,000 lines for Korea and China alone and that's with > >>CIDR formatting. > > > >You could shrink it a bit... > > > > In addition to shrinking the list by using larger networks, you can > optimize your IPTables setup by testing more specific packets. > > For instance, if you only want to block connections to apache from those > networks, create a new chain and only jump there on packets that > initiate a connection to apache. example: > > # Create a chain which will filter out unwanted networks > iptables -N DROP-ATTACKERS > # Populate the chain with rules which will drop packets from > # the unwanted networks > iptables -A DROP-ATTACKERS -s 202.80.0.0/12 -j DROP > iptables -A DROP-ATTACKERS -s 202.96.0.0/11 -j DROP > # etc... > # Create a rule in the input chain that will check incoming > # connections to apache against the rules in the new chain > iptables -A INPUT -p tcp --dport 80 --syn -j DROP-ATTACKERS > > Now, an incoming syn packet destined for port 80 will run through the > costly iptables check for unwanted source networks. All other traffic > will pass through the very short INPUT chain with minimal processing. > This is a very effective optimization, especially when you plan to > include a lot of filter rules. > > Also, because you have your unwanted networks in an existing chain, you > can later choose to filter other network ports using the same list of > unwanted source networks.
Yay, Gordon. I'm glad somebody brought user-defined chains into this thread. They really are the best way to stop packet traversal of huge firewall sets in iptables. If web hits are your main problem, put the user-defined chain near the front of your firewall rules so the packets get dropped early. -- Jack Bowling mailto: [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
