On 23.06.2010 10:53, Florian Effenberger wrote:
Am 22.06.2010 um 21:16 schrieb Lars Nooden:
>
The chain is a drop-through list of ip addresses that you have decided are good. Then make a rule or pair of rules to send tcp traffic for port 993 and port 537 to that user-defined chain.
If I run a script every 60 seconds per cron and add the hostname, it will automatically add all IPs returned by the DNS at that time. However, this changes randomly, and change time is not predictable.
If I add ten times the host and it resolves to the same IP, iptables doesn't recognize that, and I have 10 similar rules. Is there any check for duplicates possible?
If not, how many entries can the table have before it gets sluggish and slow? If I add two rules every 60 seconds, that would make 120 per hour, 2880 per day. Is that too much, do I need to purge them before? I have no experience with large filtering tables...
Florian--
ipset
http://ipset.netfilter.org/
is the answer to that problem, if you insist on doing it with iptables.
all your cron job would have to do is to (pseudo code):
ipset --list gmailset
diff newlist oldlist
ipset --add new_entries
ipset --del dead_IPs
you might have to tinker with your kernel before.
best regards
Mart
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
