Hello everyone,
I have a hash:net IP set (with name say inblock) which has 2500 network
blocks.
It is taken from
http://rules.emergingthreatspro.com/fwrules/emerging-Block-IPs.txt
But let us assume that it can go up to 3000-5000 entries in future.
Now I have following rule right at the top.
# iptables -t mangle -I PREROUTING 1 -m set --match-set inblock src -j DROP
This rule will process each and every packet that is coming in and match
it against the IP set.
So if I have a 200mbps line and then at its peak, above rule will go
through data equal to 200mbits per second.
I am curious to know if I change the above line to:
# iptables -t mangle -I PREROUTING 1 -m conntrack --ctstate NEW,INVALID
-m set --match-set inblock src -j DROP
Now above rule will send only NEW and INVALID packets to match for set.
And skip ESTABLISHED packets to match against IP set.
But conntrack table itself can have 5000-10000 entries at its peak.
(assumption)
So which rule will be more efficient?
In short:
First rule will process ALL the packets and test each packet against IP
set containing 3000-5000 entries.
Second rule will first process ALL the packets against conntrack table
containing 5000-10000 entries but will save CPU from matching
ESTABLISHED packets against IP set.
So what would be more efficient?
We assume that NEW,INVALID packets would be far far less than
ESTABLISHED packets.
Thank you and regards,
Amish.
