For blocking pourposes why don't you use blackholes ? I have a webserver that is permanently under DoS attacks , so I use blackholes.
Routing table can have million of rules or static routes, so is not a problem .
Let's say you want to block ip 11.22.33.44 . just type :
#ip route add blackhole 11.22.33.44/32
and all packets to 11.22.33.44 will be discarded.
All packets to 11.22.33.44 is discarded...but will 11.22.33.44 be able to generate a connection socket?
if you type than : #ip ro | grep blackhole you will see all blackholes defined by you
How maintainable is such a list compared to iptables which has iptables-save and iptables-restore?
you can blackhole your incomming traffic, but be carefull what you are doing .
Is there something I am missing here?
