I've had a mandrake box up since about Jan. I run a small web server. I got tired of seeing all the scriptkiddies searching for windows CMD.EXE and ROOT.EXE etc., so I have been using iptables to DROP their IP into never-never land. I've also done the same for the scanb---tards that insist on filling my dmesg with nmap scan audit entries.

Problem is this, I've now got about 1800!! entries in iptables on the INPUT chain, and it appears that it is no longer dropping some of these IP's (Filling my logs again) It seems to be for the last few hosts I added.

Question is - Is there some parameter that I may have to change to allow for this many entries, and then re-compile? I'm assuming that I've 'filled' the space reserved for this in my kernel and it is ignoring some entries.

Maybe I should create some new chains (tables) and move my entries around, haven't tried that yet

I'm Stumped

Any Help?

UPDATE - Sure enough, If I put a rule at the end of the table it has no effect but near the top of the table it works fine...

I'd say just drop the 1800 tags, if this is 4 months worth of scans its worthless anyway, since most skiddies will move on when a target ain't "interesting" anymore. Else may I suggest you try Snort IDS for intrusion detection like worms, scans exploits etc etc? Then you could use Guardian, which can drop IP's into ipchains/iptables but also incorporates some kind of timer, so after x minutes/hours the IP addy will be unblocked again and the rule deleted as not to accumulate too much useless crud.

The only stuff tweakable i read about isipconn_track. Somewhere under /proc theres a few ipconn_track entries, the limit is 2048 (cat /proc/*/ipconn_tracksomething-something | wc -l). It can be enhanced by catting a memory value into another ipconn_track entry. Bit vague but that's all I remember :-]