Re: loading huge number of rules in iptables (blocklist)

---

• From: Andrew Sackville-West <andrew@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 21 Mar 2007 11:09:03 -0700

---

On Wed, Mar 21, 2007 at 01:36:17PM -0400, H.S. wrote:

Andrew Sackville-West wrote:

nice to know that the connection is holding up, but there's got to be
a better way to do this. I'm not really up on iptables, but surely
there is some better way to distinguish the traffic to allow or not?
Maybe even just some judicious grepping of the rule set for partial
matches that could be lumped together?

It seems that your operating on a default allow scenario with a bunch
of rules to delineate the deny situations. maybe you could go the
other way? default deny with a limited number of rules of what to
allow?

I am already working with default deny. The ip ranges in the list
provided by peerguarding need to be blocked -- so any traffic (not only
NEW) from or to those ipranges is to be blocked. So either I block them
all, or I allow all the rest. In either case, I see a huge bunch of
rules being put in iptables (and I don't have an ip range list for the
latter choice). Or am I missing something?

I'm sorry, but what exactly is the purpose here? I did a little poking
around and it looks like just a massive list of ip's to block, but for
what purpose?

I'm not trying to say that this is not the right solution for whatever
your problem is, but it certainly seems very brute force. Hence my
questions.

A

Attachment: signature.asc
Description: Digital signature

---

• Follow-Ups:
  • Re: loading huge number of rules in iptables (blocklist)
    • From: H.S.

• References:
  • loading huge number of rules in iptables (blocklist)
    • From: H.S.
  • Re: loading huge number of rules in iptables (blocklist)
    • From: H.S.
  • Re: loading huge number of rules in iptables (blocklist)
    • From: Ron Johnson
  • Re: loading huge number of rules in iptables (blocklist)
    • From: H.S.
  • Re: loading huge number of rules in iptables (blocklist)
    • From: Andrew Sackville-West
  • Re: loading huge number of rules in iptables (blocklist)
    • From: H.S.

• Prev by Date: Re: Browser identification to websites
• Next by Date: bind9 prevents external access
• Previous by thread: Re: loading huge number of rules in iptables (blocklist)
• Next by thread: Re: loading huge number of rules in iptables (blocklist)
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: loading huge number of rules in iptables (blocklist) ... of rules to delineate the deny situations. ... I see a huge bunch of rules being put in iptables. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ... (Debian-User) Re: A Question On Ipchains Input Rules ... The forwarding rules shown below work great ... makes a policy on INPUT string for deny, ... However, I prefer IPTables, so this is how it would look in IPTables: ... port will appear closed. ... (comp.os.linux.security) Re: Linux IPChains Question ... I suggest adding an explicit DENY and log rule at the end. ... #ipchains -P FORWARD DENY ... I would recommend iptables here. ... iptables -t filter -A FORWARD -j LOG ... (comp.security.firewalls) Re: How to block Kazaa v2.x with iptables?? ... > iptables -P FORWARD DENY ... > iptables -P OUTPUT DENY ... Probably more easily scriptable for more than three interfaces, ... (comp.os.linux.security) Re: loading huge number of rules in iptables (blocklist) ... but what exactly is the purpose here? ... block/drop traffic from all the ip ranges listed in blocklist provided ... automate the process in iptables firewall on a router -- needs iptables, ... a little scripting could probably concatenate a lot of the ... (Debian-User)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)