Re: loading huge number of rules in iptables (blocklist)

From: "H.S." <hs.samix@xxxxxxxxx>
Date: Wed, 21 Mar 2007 13:36:17 -0400

Andrew Sackville-West wrote:

nice to know that the connection is holding up, but there's got to be
a better way to do this. I'm not really up on iptables, but surely
there is some better way to distinguish the traffic to allow or not?
Maybe even just some judicious grepping of the rule set for partial
matches that could be lumped together?

It seems that your operating on a default allow scenario with a bunch
of rules to delineate the deny situations. maybe you could go the
other way? default deny with a limited number of rules of what to
allow?

I am already working with default deny. The ip ranges in the list provided by peerguarding need to be blocked -- so any traffic (not only NEW) from or to those ipranges is to be blocked. So either I block them all, or I allow all the rest. In either case, I see a huge bunch of rules being put in iptables (and I don't have an ip range list for the latter choice). Or am I missing something?

->HS

--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: loading huge number of rules in iptables (blocklist)
  - From: Andrew Sackville-West

References:
- loading huge number of rules in iptables (blocklist)
  - From: H.S.
- Re: loading huge number of rules in iptables (blocklist)
  - From: H.S.
- Re: loading huge number of rules in iptables (blocklist)
  - From: Ron Johnson
- Re: loading huge number of rules in iptables (blocklist)
  - From: H.S.
- Re: loading huge number of rules in iptables (blocklist)
  - From: Andrew Sackville-West

Prev by Date: Re: loading huge number of rules in iptables (blocklist)
Next by Date: Re: Browser identification to websites
Previous by thread: Re: loading huge number of rules in iptables (blocklist)
Next by thread: Re: loading huge number of rules in iptables (blocklist)
Index(es):
- Date
- Thread

Relevant Pages

Re: loading huge number of rules in iptables (blocklist)
... I'm not really up on iptables, ... It seems that your operating on a default allow scenario with a bunch ... of rules to delineate the deny situations. ... but what exactly is the purpose here? ...
(Debian-User)
Re: cvs problem with iptables
... On Thursday 18 August 2005 10:37, Ankush Grover wrote: ... change to using -I on iptables. ... default DENY and so having no effect. ... To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list ...
(Fedora)
my actual iptables inquiry
... Ok i guess this is what i need to do with iptables... ... I need to deny all ... but still be able to get on the internet... ... To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list ...
(Fedora)
Re: A Question On Ipchains Input Rules
... The forwarding rules shown below work great ... makes a policy on INPUT string for deny, ... However, I prefer IPTables, so this is how it would look in IPTables: ... port will appear closed. ...
(comp.os.linux.security)
Re: iptables question
... # Kill ssh hackers - watch for more than 3 connection attempts in under ... iptables -A SSH-EVIL -j REJECT ... subject of "unsubscribe". ... Trouble? ...
(Debian-User)