[SOLVED] Connection Dropping - iptables vs routing
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi Guys, I stumbled across an interesting thing today regarding dropping IP's/Ranges
i usualy do: iptables -I INPUT -s 41.41.41.41 -j DROP
but after reading up a bit, apparently dropping them using routing is faster & uses
less system resources when you have large iptables.
So my question is:
is doing it via routing better than with iptables?
and does the routing get hit before or after the input iptable?
iptables -I INPUT -s 41.41.41.41 -j DROP
VS
ip route add blackhole 41.41.41.41/32
# Non-Accepted Ports rule
$IPT -N bad-ports
$IPT -A bad-ports -m limit --limit 5/minute -j LOG --log-prefix "bad-ports-rule:"
$IPT -A bad-ports -j DROP
# Make forwarding statefull
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
# Unlimited traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Banned IP rule
$IPT -N banned
$IPT -A banned -j internet-firewall
# Set jumps for input chain
$IPT -A INPUT -i ${PUB_IF} -d 1.1.1.1/32 -j banned
$IPT -A INPUT -j bad-ports
# Internet to Firewall Connections
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 25 -j ACCEPT # SMTP
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 53 -j ACCEPT # DNS
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p udp --dport 53 -j ACCEPT # DNS
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 80 -j ACCEPT # HTTP
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 110 -j ACCEPT # POP3
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 143 -j ACCEPT # IMAP
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 587 -j ACCEPT # SMTP-MSA
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 993 -j ACCEPT # IMAP SSL
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 1701 -j ACCEPT# PPTP
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 7227 -j ACCEPT# SSH
$IPT -A internet-firewall -i ${PUB_IF} -m state --state NEW -p tcp --dport 8000 -j ACCEPT# Webmin
- You get the idea, I didn't include all of the firewalling just the part that is relevant to this, then I have a script that checks my logs for brute force attempts & also anyone who got logged for using ports that aren't accepted & if they try 3 or more times they get added to the "banned" chain and dropped.
Last edited by Sayajin; 01-24-2014 at 05:16 AM.
Reason: typo
All packets not destined for the local host are checked against both the iptables firewall ruleset and the routing table. The routing table is automatically sorted with the routing entries being checked in ascending order based on the netmask (smallest networks first), while the iptables rules are checked top-to-bottom in the order they were created.
The iptables ruleset can be hand-optimized against the traffic you're expecting to see, by placing the rules matching the most common traffic at the top. You can't reslly do that with the routing table. On the other hand, rumor has it that the Linux routing engine is getting a major overhaul, enabling routing at gigabit speeds on modest hardware. That'll probably beat the performance of the new netfilter virtual machine in kernel 3.13 by at least an order of magnitude.
Other than that, there are no obvious advantages or disadvantages to blackhole routing compared to blocking traffic with iptables. If the question is "what's best; a humongous routing table or a ridiculously large iptables rulset", I think the answer is probably "neither".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.