Re: loading huge number of rules in iptables (blocklist)

Am 2007-03-20 19:07:01, schrieb H.S.: function FuncBlockedIPsRules { echo Making rules for Blocked IPs traffic; while read Line; do #get the ip address range from the file IpRange=`echo -n $Line | sed -e 's/.*:\(.*\)-\(.*\)/
-/'`; #drop the traffic from this port range

Re: loading huge number of rules in iptables (blocklist)

On Tue, Mar 20, 2007 at 07:07:01PM -0400, H.S. wrote: I am playing round with the blocklist file obtained from peerguardian (level1.gz). I have written a bash function which I call in my iptables script to load these rules. Have you tried inserting them as null routes into your routing table

Re: loading huge number of rules in iptables (blocklist)

On Fri, 23 Mar 2007, Andy Smith wrote: Have you tried inserting them as null routes into your routing table instead? That won't be nice to the box, either. Even with ipset I would not consider putting this many rules into iptables. It can be collapsed to one rule (or a small number of them)

Re: loading huge number of rules in iptables (blocklist)

H.S. wrote: Now, currently, there are around 151,000 ipranges listed in level1.gz to block. So the above function's loop goes over these many times inserting the rules for each range. And this is taking huge amount of time: in over 50 minutes, only around 12% rules have been loaded on my

Re: loading huge number of rules in iptables (blocklist)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/21/07 10:52, H.S. wrote: H.S. wrote: Now, currently, there are around 151,000 ipranges listed in level1.gz to block. So the above function's loop goes over these many times inserting the rules for each range. And this is taking huge

Re: loading huge number of rules in iptables (blocklist)

Ron Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/21/07 10:52, H.S. wrote: H.S. wrote: Now, currently, there are around 151,000 ipranges listed in level1.gz to block. So the above function's loop goes over these many times inserting the rules for each range. And this is

Re: loading huge number of rules in iptables (blocklist)

H.S. wrote: ... Yes. The experiment shows that this is not going well. I was wondering if there are any alternatives. I currently have around 80,000 rules now inserted, and the process is still continuing more than 17 hours later! However, my internet connection seems to be holding up without

Re: loading huge number of rules in iptables (blocklist)

On Wed, Mar 21, 2007 at 12:09:03PM -0400, H.S. wrote: Ron Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/21/07 10:52, H.S. wrote: H.S. wrote: Now, currently, there are around 151,000 ipranges listed in level1.gz to block. So the above function's loop goes over these

Re: loading huge number of rules in iptables (blocklist)

On Wed, 2007-03-21 at 12:09 -0400, H.S. wrote: Ron Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/21/07 10:52, H.S. wrote: H.S. wrote: Now, currently, there are around 151,000 ipranges listed in level1.gz to block. So the above function's loop goes over these

Re: loading huge number of rules in iptables (blocklist)

Andrew Sackville-West wrote: nice to know that the connection is holding up, but there's got to be a better way to do this. I'm not really up on iptables, but surely there is some better way to distinguish the traffic to allow or not? Maybe even just some judicious grepping of the rule set for

Re: loading huge number of rules in iptables (blocklist)

On Wed, Mar 21, 2007 at 01:36:17PM -0400, H.S. wrote: Andrew Sackville-West wrote: nice to know that the connection is holding up, but there's got to be a better way to do this. I'm not really up on iptables, but surely there is some better way to distinguish the traffic to allow or not?

Re: loading huge number of rules in iptables (blocklist)

Andrew Sackville-West wrote: I'm sorry, but what exactly is the purpose here? I did a little poking around and it looks like just a massive list of ip's to block, but for what purpose? I'm not trying to say that this is not the right solution for whatever your problem is, but it

Re: loading huge number of rules in iptables (blocklist)

On Wed, Mar 21, 2007 at 02:30:06PM -0400, H.S. wrote: Andrew Sackville-West wrote: I'm sorry, but what exactly is the purpose here? I did a little poking around and it looks like just a massive list of ip's to block, but for what purpose? I'm not trying to say that this is not

Re: loading huge number of rules in iptables (blocklist)

Andrew Sackville-West wrote: On Wed, Mar 21, 2007 at 02:30:06PM -0400, H.S. wrote: okay, I follow... and you want otherwise unfettered p2p operating, but security from these particular sites. ugh. nasty problem. Nasty problem, yes. But I can live without it since I don't do much p2p. But

Re: loading huge number of rules in iptables (blocklist)

On Wed, Mar 21, 2007 at 04:39:57PM -0400, H.S. wrote: I am not going to follow up on my current method. A better one is definitely needed. Googling on the shorewall home page yielded the following: http://www.shorewall.net/ipsets.html ... ...Ipsets provide an effecient way to

Re: loading huge number of rules in iptables (blocklist)

On Tue, 20 Mar 2007, H.S. wrote: Now, currently, there are around 151,000 ipranges listed in level1.gz to block. So the above function's loop goes over these many times inserting See ipset and nf-hipac at http://www.netfilter.org for support for heavy-duty, huge rulesets. -- One disk to

loading huge number of rules in iptables (blocklist)

Hello, I am playing round with the blocklist file obtained from peerguardian (level1.gz). I have written a bash function which I call in my iptables script to load these rules. The following function actually loads the rules from a gzipped file (e.g. /etc/firewall/level1.gz, defined by the