On Sun, 1 May 2005, Jack wrote:
--- Frank Wiles wrote:
On Sat, 30 Apr 2005 21:52:02 -0700 (PDT) Jack [email protected] wrote:
I have about half of the addresses blocked, but what is the impact of adding 150 ip addresses to iptables with potentially hundreds more over time? At what point will iptables eat up all my bandwidth in blocking addresses?
Thanks everyone for the suggestions.
Well, iptables doesn't really eat up your bandwidth - the guys trying to connect to your box is what is wasting the bandwidth. The worst iptables can do is eat up processor cycles filtering connections to your box. I have seen machines with hundreds of iptables rules that operate with no issues at all. It works in the kernel space so it can be very efficient.
You probably do not want to permanently deny any address. I believe you can use an automated daemon like portsentry to dynamically add addresses to iptables and after a period of time have that address removed.
//========================================================\ || D. Hageman [email protected] || \========================================================//