6

We have a server with a Quad-Core AMD Opteron Processor 2378. It acts as our firewall for several servers. I've been asked to block all IPs from China.

In a separate network, we have some small VPS machines (256MB and 512MB). I've been asked to block china on those VPS's as well.

I've looked online and found lists which requires 4500 block rules. My question is will putting in all 4500 rules be a problem? I know iptables can handle far more rules than that, what I am concerned about is since these are blocks that I don't want to have access to any port, I need to put these rules before any allow. This means all legitimate traffic needs to be compared to all those rules before getting through. Will the traffic be noticeably slower after implementing this? Will those small VPS's be able to handle processing that many rules for every new packet (I'll put an established allow before the blocks)?

My question is not How many rules can iptables support?, its about the effect that these rules will have on load and speed.

Thanks.

Community
  • 1
mhost
  • 1,179
  • 3
  • 16
  • 25
  • Why not just give it a try and find out? It's simple enough to revert... – EEAA Oct 17 '13 at 19:06
  • That's the plan. But I thought I would ask first since I won't truly know the effects without leaving it on due unpredictable traffic spikes. And I am just concerned that when those spikes start, it will bring the site down to a crawl. – mhost Oct 17 '13 at 19:11
  • 1
    It completely depends on how your rules sets are structured. If you use chains and ipsets in appropriate places then you can have a large rule set, but a particular packet will not have to be evaluated against every rule. – Zoredache Oct 17 '13 at 19:23
  • https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/ – user1133275 Mar 23 '21 at 17:41

1 Answers1

13

It will support that many rules, but you really wouldn't want to traverse a chain of 4500 rules.

As @Zoredache pointed out you could also binary split the chains. If you did it perfectly you could drop the number of chain traversals to 13.

The simplest way to do this is with ipsets.

I am using EL6 which provides support for this. Obviously I dont know all the chinese netblocks so I'm just filling this with garbage..

ipset create china hash:net
ipset add china 1.2.3.0/24
ipset add china 2.4.0.0/16
ipset add china 123.0.0.0/8
ipset add china 145.12.5.0/24

Then add a rule to IPtables to match on that set and drop traffic..

iptables -I INPUT -m set --match-set china src -j DROP

This is much more efficient and faster than standard rule chains.

Matthew Ife
  • 23,357
  • 3
  • 55
  • 72
  • Thanks. I forgot all about ipsets. This will solve the problem for the dedicated server, however the VPS's are OpenVZ which do not support ipsets. Can you provide more info about the binary splitting of the chains? I haven't heard of that. – mhost Oct 17 '13 at 19:33
  • Can you not just setup the same rules to work in the FORWARD chain of the server the OpenVZ works on instead? – Matthew Ife Oct 17 '13 at 19:36
  • I don't have access to the host server, only the guest os. – mhost Oct 17 '13 at 19:53
  • 2
    You need to sort each network block by its binary IP, at the middle split. Then in the left half, go to the middle, split, the right half, go to the middle, split and keep halving and splitting new halves until you have nothing left to split. It is a bit infeasible in all honesty without automating it. – Matthew Ife Oct 17 '13 at 20:01
  • https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables/ – user1133275 Mar 23 '21 at 17:42