IPTables limits?
Rick Stevens
ricks at nerd.com
Tue Oct 21 17:16:15 UTC 2008
Karl Pearson wrote:
> I'm curious if there's a limit on how many iptables entries it takes to
> hammer a system. Okay, a better question: When am I running the risk of
> messing up my IP traffic if I add DROP entries in the INPUT rule of
> iptables?
You do ask the damndest questions, Karl! :-)
I've never seen a document that describes any rule limits. It is a
kernel module, so one must assume there is some limit. It may be that
a spelunking sesion through the source might answer that.
I've got lots of drop entries on my rules and haven't had any issues,
but I'm always guided by the concept that the more rules a packet must
traverse, the slower the connection will be at startup. Therefore I
order my rules carefully putting the more generic rules at the top of
the list and the more specific ones at the bottom. That may not work
for you...every network is a little different (for example, we blacklist
entire /8 networks in some cases because of DOS or hack attacks from
those countries).
> The machine in question acts as a small gateway for one subnet behind a
> Smoothwall 3.0 gateway that is the gateway for it and the rest of the
> network.
>
> The machine is a single core AMD 64 3200+ with 2GB of ram running 32-bit
> Fedora 8.
Should have plenty of headroom to do what you want with that.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- The gene pool could use a little chlorine. -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list