> I've about had it with attacks to our web server emanating from certain > geographical areas. This is not a display of Xenophobia. I have never > really used IPT. > > It takes about 4,000 lines for Korea and China alone and that's with > CIDR formatting. > > Two questions: > > 1. Will a table that size create a problem? Is that even a very large > table?
Yes, it will. You have to remember that every packet that comes into your box has to be tested against every rule in your firewall, until if finds one that it matches. This means that if you have 4,000 REJECT lines followed by an ALLOW rule, then every request that is *authorized* to use your box will have to go through 4,000 tests first. I expect that you will rapidly notice the CPU usage go up, and your network "speed" and server response go down. > 2. I have single lines like: > "/sbin/iptables -A INPUT -s 61.32.0.0/16 -j REJECT" > > What is the most efficient means of logging matches? I suppose that I > could create another shell script replacing REJECT with LOG or am I was > off? IIRC, a LOG without a REJECT will still allow the packet through, but will log it. You would have to have REJECT LOG at the end of the rule. Of course, your log file will rapidly bloat to (probably) unmanageable proportions. There are ways (though I can't remember what they are) to set up your system in such a way as to dynamically block IPs from which you are receiving attacks. I believe that they involve setting up iptables to work with snort (http://www.snort.org), but I can't remember for sure. Ben -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
