Home / ubuntu / Questions / 956009
Accepted
FatRabbit
Asked: 2017-09-15 22:40:11 +0800 CST

iptables limits

  • 772

We have a ubuntu set up as firewall (basic iptables), the thing is we have a netmask of 255.255.0.0 i.e almost possible 65531 addresses.

Since I want to monitor download traffic per IP, I need to make thousands of rules (I have a script that can do that) but will my server support that number of rules?

configuration:

Dell optiplex 7210    
core i3 2.6Ghz    
4GB RAM    
50GB HD
iptables

1 Answers

  1. Best Answer

    From here I gather the theoretical limit would be around 38 million on 32 bit systems, so I think 64 bit systems would be much more. But again from the afore mentioned source any thing above 25,000 rules say 27,000 would become a problem.

    Issues are mainly memory usage on these systems with such a large number of iptable rules, it's suggested one can use:

    1. ipsets from here, and
    2. geoip modules for iptables from here when targeting a country

    Quote from a user (pdepartida) here:

    A couple of weeks ago i was getting massive port 80 requests to a 404 on my server, that were attached to my domain, so i could not just change the ip or whatever.

    I needed to block this bot requests and still have my apache up and running so i started to dynamically block through iptables. At the end of the first 24 hours i was already blocking over 22'000 distinct ip's. I had to upgrade my linode with 90 extra mb of RAM (from a linode 360) but everything else was fine!

    After a week i had already blocked over 53'000 different ips. Everything ran like a charm and was still able to keep apache running until eventually the bots stopped trying...

    By the way, i flushed up tables once a week, just in case.

    So it really depends on your available memory.

    • 2