16

Someone asked me this recently and I had no answer for it. I know this is kind of an open-ended question but is there a limit on the numnber of rules you can install in a table/chain? If so, how can I find it out? I guess it will vary across machines.

Bruce
  • 523
  • 2
  • 5
  • 17
  • 1
    try adding with a forloop until your machine crashes. – Lucas Kauffman Feb 16 '13 at 20:08
  • it entirely depends on the rule complexity. See my answer from `Jan Engelhardt` and the entire thread that I linked if you want more details, including why modifications after load can crash when the initial load works fine. – R. S. Feb 16 '13 at 20:11

3 Answers3

16

Quote from Jan Engelhardt

The theoretical upper limit of maximum number of rules for a 32-bit
environment would be somewhere around 38 million, but you could also
construct a rule that is so crowded with matches that even it won't
fit, so the lower limit of max rules is 0.

http://www.spinics.net/lists/netfilter/msg51895.html

R. S.
  • 1,714
  • 12
  • 19
  • 1
    That's theory, I read some articles that in practice things go south quite rapidly once going over 25k – Lucas Kauffman Feb 16 '13 at 20:19
  • 6
    The point is it entirely depends on the rule complexity and memory availability. As he points out, you can write a single rule that won't fit and thus the max would be 0. FWIW, `service iptables status | wc -l` gives me `112373` on one box I admin. 64 bit centos 6 with 96 gigs of ram. There's no problems adding more rules or even reloading with that amount. – R. S. Feb 16 '13 at 20:45
  • 1
    @kormoc: out of curiosity: what does that box do firewalling for? Firewall stuff is not my dayjob, but over 100000 rules sounds massive and I want to know :) – wzzrd Feb 16 '13 at 22:18
  • 1
    One of the previous admins setup a brute force blocker that adds a iptable rule for any of the ips that attempt. We have about 6250 'bad' ips blocking 16 ports, 8 tcp and 8 udp. Honestly, we should change the script, but it hasn't caused any issues, so it's left as is and the number slowly creeps up as some other hosts gets owned and scans us. – R. S. Feb 16 '13 at 22:26
  • 2
    kormoc - you might be better off switching over to using fail2ban. It can be configured to remove blocked ip's over time. Let's face it, scanning 100000 rule sets is going to be a bit slow. – hookenz Oct 22 '13 at 23:54
  • 1
    Using one rule per ip is insane regardless. You can use `ipset` and write a single rule to test in O(1) if a source or desination ip is member of an arbitrarily sized set of addresses. – b0fh Nov 28 '17 at 09:03
  • @hookenz - fail2ban uses iptables, and typically adds one rule per blocked ip. – monzie Jun 01 '21 at 19:54
8

According linuxquestions.org, on a 32-bit machine, IPTables will support around 25,000 rules. Going beyond that, especially from 27,000, things start to get flaky.

Nathan
  • 167
  • 7
Lucas Kauffman
  • 16,880
  • 9
  • 58
  • 93
0

Problem

I suppose the question stems from the idea/concept of adding offensive IPs to your firewall. Many of them. Because we are constantly bombarded by hackers, spammers, etc.

I've tried that on a 64 bit machine a while back and I could start seeing slowness when we reached about 4,000 IPs. Therefore, it's not a good idea.

Solution 1: ipset

For a while now, there has been an extension to iptables called ipset. To do such a thing as adding new IPs to your firewall. IPs you want to block. I strongly suggest that you use sets. The number of IPs and sets and rules is still limited to some numbers, but it will be much less in that situation.

It would be something like this:

ipset create deny_list hash:ip
sudo iptables -A INPUT -p tcp -m tcp --syn \
  -m set --match-set deny_list src \
  -j ACCEPT

Then add offensive IPs to the list like so:

ipset add deny_list 10.0.0.10

You can setup a TTL or have your own software to remove those IPs after a while.

Solution 2: recent

Yet another solution, for very dynamic firewalls, is to use the recent extension. That allows you to add IPs to lists similar to the ipset lists of IPs. Then you can check whether the IP of another incoming packet matches one of the IPs in that set and if so DROP the packet.

To my point of view, this is harder to handle. But it is very powerful.

Your other tools (say a website which detects a hack attempt) can add IPs to the recent lists:

echo +10.0.0.10 >/proc/net/xt_recent/<name>

There is documentation in the iptables-extensions manual pages about this.

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37