Hi Guys, I stumbled across an interesting thing today regarding dropping IP's/Ranges

i usualy do: iptables -I INPUT -s 41.41.41.41 -j DROP
but after reading up a bit, apparently dropping them using routing is faster & uses
less system resources when you have large iptables.

So my question is:
is doing it via routing better than with iptables?
and does the routing get hit before or after the input iptable?

iptables -I INPUT -s 41.41.41.41 -j DROP
VS
ip route add blackhole 41.41.41.41/32


tnx in advance

Can you show your iptables file?
Also, its normally easier to set Policy to 'DROP' and only allow (whitelist) the allowed srcs.

- See relevant firewall rules below

# Clear all rules
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

# Set default chain policies
$IPT -P INPUT DROP;
$IPT -P OUTPUT DROP;
$IPT -P FORWARD DROP;

# Non-Accepted Ports rule
$IPT -N bad-ports
$IPT -A bad-ports -m limit --limit 5/minute -j LOG --log-prefix "bad-ports-rule:"
$IPT -A bad-ports -j DROP

# Make forwarding statefull
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP

# Unlimited traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Create forwarding chains
$IPT -N internet-firewall

# Banned IP rule
$IPT -N banned
$IPT -A banned -j internet-firewall

# Set jumps for input chain
$IPT -A INPUT -i ${PUB_IF} -d 1.1.1.1/32 -j banned
$IPT -A INPUT -j bad-ports

# Internet to Firewall Connections
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 25 -j ACCEPT # SMTP
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 53 -j ACCEPT # DNS
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p udp --dport 53 -j ACCEPT # DNS
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 80 -j ACCEPT # HTTP
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 110 -j ACCEPT # POP3
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 143 -j ACCEPT # IMAP
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 587 -j ACCEPT # SMTP-MSA
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 993 -j ACCEPT # IMAP SSL
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 1701 -j ACCEPT# PPTP
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 7227 -j ACCEPT# SSH
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 8000 -j ACCEPT# Webmin

- You get the idea, I didn't include all of the firewalling just the part that is relevant to this, then I have a script that checks my logs for brute force attempts & also anyone who got logged for using ports that aren't accepted & if they try 3 or more times they get added to the "banned" chain and dropped.

*bump*

All packets not destined for the local host are checked against both the iptables firewall ruleset and the routing table. The routing table is automatically sorted with the routing entries being checked in ascending order based on the netmask (smallest networks first), while the iptables rules are checked top-to-bottom in the order they were created.

The iptables ruleset can be hand-optimized against the traffic you're expecting to see, by placing the rules matching the most common traffic at the top. You can't reslly do that with the routing table. On the other hand, rumor has it that the Linux routing engine is getting a major overhaul, enabling routing at gigabit speeds on modest hardware. That'll probably beat the performance of the new netfilter virtual machine in kernel 3.13 by at least an order of magnitude.

Other than that, there are no obvious advantages or disadvantages to blackhole routing compared to blocking traffic with iptables. If the question is "what's best; a humongous routing table or a ridiculously large iptables rulset", I think the answer is probably "neither".

1 members found this post helpful.