LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Max Iptables Entries (https://www.linuxquestions.org/questions/linux-newbie-8/max-iptables-entries-4175594803/)

mlestillore 12-04-2016 09:22 PM
Max Iptables Entries
 
Guys, newbie question.

What is the max Iptables entries we can have on the web server before the performance starts to degrade. Any rule of thumb ?

Thanks in advance.

Sefyir 12-04-2016 10:42 PM
Well, packets go from top to bottom until they are ACCEPTed, DROP, or JUMPed to another chain.
So if you have 10k ip addresses to drop from, each packet will have to process through 10k rules.

I suppose a rule of thumb would be: If you need to ask, it's too many rules. :)

lazydog 12-05-2016 01:06 PM
As Sefyir said, the more rules the longer it takes to process a connection. Here are some helpful points to remember:

1. Always use a STATEFUL firewall. This cuts down on the amount of time it takes to process ESTABLISHED connections.
2. Use ipset when ever you need to drop/allow a number of hosts were you would normally require individual rules.
3. Always set your default POLICIES to DROP. (Some will argue that this is not necessary but if you forget that last rule the DROP's or REJECT's your system is open to attacks.)

AwesomeMachine 12-05-2016 02:36 PM
I agree with ld, always start with drop policies.


All times are GMT -5. The time now is 11:24 AM.