LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
Reload this Page Max Iptables Entries
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-04-2016, 09:22 PM   #1
mlestillore
LQ Newbie
 
Registered: Dec 2016
Posts: 1

Rep: Reputation: Disabled
Max Iptables Entries

Guys, newbie question.

What is the max Iptables entries we can have on the web server before the performance starts to degrade. Any rule of thumb ?

Thanks in advance.
 
Old 12-04-2016, 10:42 PM   #2
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Well, packets go from top to bottom until they are ACCEPTed, DROP, or JUMPed to another chain.
So if you have 10k ip addresses to drop from, each packet will have to process through 10k rules.

I suppose a rule of thumb would be: If you need to ask, it's too many rules.
 
Old 12-05-2016, 01:06 PM   #3
lazydog
Senior Member
Contributing Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
As Sefyir said, the more rules the longer it takes to process a connection. Here are some helpful points to remember:

1. Always use a STATEFUL firewall. This cuts down on the amount of time it takes to process ESTABLISHED connections.
2. Use ipset when ever you need to drop/allow a number of hosts were you would normally require individual rules.
3. Always set your default POLICIES to DROP. (Some will argue that this is not necessary but if you forget that last rule the DROP's or REJECT's your system is open to attacks.)
 
Old 12-05-2016, 02:36 PM   #4
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,521

Rep: Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015
I agree with ld, always start with drop policies.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/resolv.conf question. Max Search Entries. grizly Linux - Networking 1 05-28-2008 07:43 PM
Max conn. limit with Iptables. crime Linux - Security 2 04-25-2008 05:47 PM
No entries in iptables? PenguinPwrdBox Linux - Networking 9 02-18-2004 06:58 PM
iptables - loosing entries after reboot mule Linux - Security 7 08-21-2003 12:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:16 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration