Hi I have a BLOCKED chain that every packet go through (its before the EST/RELA rule) and have about 3000 lines and I can still get around 4x200Kbs tcp streams on Telstra cables (about the same with out the filtering) Alex On Tue, Jul 27, 2004 at 10:35:11PM -0400, Chris Brenton wrote: > On Tue, 2004-07-27 at 22:11, David Cary Hart wrote: > > > > I realize that there are too many variables to answer this question with > > great precision so consider this a reality check. > > So long as you understand what you are asking. ;-) > > > Our server has been under very heavy attack over the last few weeks. I > > have been adding individual hosts who try to exploit either httpd or > > smtp. I now have an input rule set of several hundred lines. Does that > > seem terribly over-sized or is that fairly common? > > I've run 400+ on old P-III hardware without a problem. I know others > have gone beyond even that. > > One thing you might consider is leveraging custom chains. Something > like: > > iptables -N http > iptables -A FORWARD -i eth0 -p tcp --tcp-flags SYN,ACK SYN -d > 192.168.1.128/27 --dport 80 -j http > > replacing "-i" with your external interface and "-d" with the IPs of > your Web servers. > > Now in the http chain you block all the nasty IPs. You can then either > permit access to your Web servers within that chain, or come back to the > forward chain and keep the rule there. What ever makes life easier for > you. > > Nice thing about the above is all non-http traffic no longer has to > traverse all your blocking rules. This should help speed up processing. > > HTH, > Chris > > > >
Attachment:
signature.asc
Description: Digital signature
