Re: Using iptables and ipset to DROP a list of 2 million addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/11/24 5:39 AM, Mason Kaufer wrote:
Hi,
I am currently trying to set up a firewall on an Ubuntu 22.04 machine
that will block a list of 2 million plus ip addresses without slowing
the network speed down tremendously. I have tried using ipset but I
get an error that the hash size isn't large enough. I have tried
manually setting the hash size but it only allows that option to be so
large. Is there something I am doing wrong or is there a better way to
achieve this? Any help with this would be much appreciated.

There could be another way, that would work for both inbound and outbound blocking. Consolidate the list into net ranges, and add the ranges as BLACK HOLE routes in the routing table.

I'm less and less enamored with using IP lists in a firewall when the routing table is optimized to handle BIG lists of addresses, if you do the consolidation properly.

Also, be sure to have short-circuit rules for established connections in your firewall list, if you do decide to lard up an IP table list. That will help the speed problem, by restricting the loading to new connections.





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux