On Wed, 3 Sep 2003, David Hart wrote:
I've about had it with attacks to our web server emanating from certain geographical areas. This is not a display of Xenophobia. I have never really used IPT.
It takes about 4,000 lines for Korea and China alone and that's with CIDR formatting.
You could shrink it a bit...
In addition to shrinking the list by using larger networks, you can optimize your IPTables setup by testing more specific packets.
For instance, if you only want to block connections to apache from those networks, create a new chain and only jump there on packets that initiate a connection to apache. example:
# Create a chain which will filter out unwanted networks iptables -N DROP-ATTACKERS # Populate the chain with rules which will drop packets from # the unwanted networks iptables -A DROP-ATTACKERS -s 202.80.0.0/12 -j DROP iptables -A DROP-ATTACKERS -s 202.96.0.0/11 -j DROP # etc... # Create a rule in the input chain that will check incoming # connections to apache against the rules in the new chain iptables -A INPUT -p tcp --dport 80 --syn -j DROP-ATTACKERS
Now, an incoming syn packet destined for port 80 will run through the costly iptables check for unwanted source networks. All other traffic will pass through the very short INPUT chain with minimal processing. This is a very effective optimization, especially when you plan to include a lot of filter rules.
Also, because you have your unwanted networks in an existing chain, you can later choose to filter other network ports using the same list of unwanted source networks.
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
