Say one wishes to have a list of blocked IP addresses.
I have seen the following example script:
BLOCKDB="/path/to/ip.blocked.file"
# omit comments lines
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done
Is several thousand lines, which transform into several thousand iptables entries, sane?
What is the top limit, beyond which, system efficiency will gets significantly affected?
I think I have found a solution via this article and IPSet seems to be the answer
In sum:
If set of IP addresses contain thousands of items iptables performance decreases (actually, performance of netfilter, as soon as iptables is just a tool for managing firewall). Your CPU load can increase too. Fortunately there is a perfect solution – ipsets
IPSet is the perfect tool if you want to:
Installing ipset is straight forward
sudo apt-get install ipsetThen run the following
Add it to your iptables chain. It can differ depending on your firewall settings. Here we use ethin chain.
Now you can add all bad IP to your ipset. For instance, you have text file called bots.txt with one IP per line. So you can add them to ipset using simple bash script:
To check run: