linblock and iptables, iptables: too many links
hello to all those kind enough to check this post out,
I have just got linblock up and running but I have a few problems. 1) It takes a long time for linblock to add the rules -->after<-- they are downloaded and parsed, probably something in the area of about 45 minutes I think. I am wondering if this is normal: system specs P3 667 oc'ed to 710 mhz, 256 megs of ram, in a asus p3v4x MoBo 2) It is hard to tell if all these rules are slowing down my machine but I thought that I would take the authors suggestion found here http://dessent.net/linblock/ and do Code:
iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p Unfortunately when the linblock script is rerun under a cronjob (45 minutes at 99% cpu load warrants a cronjob in my books for sure) it gives an error, Error: Couldn't remove chain antip2p from INPUT chain. I have tried flushing the rules for this chain and deleting the chain with : Code:
iptables -F antip2p Code:
iptables -X antip2p everything works fine if I dont run Code:
iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p |
bumperama, bumpenstein, bumpzilla...
helloooo anybody out there. Perhaps I should try a different section of this forum???? |
How many rules are being inserted by linblock?
Also, the error is probably because the rule you specified links to the one to be deleted. |
question:
Quote:
There can be thousands of drop rules one for each ip that is to be blocked. Linblock parses a file downloaded from bluetack(typically has thousands of entries I think) than enters these rules into ip tables with perl. Is there a limitation to the number of rules???? Quote:
Do you use linblock , Matir ? P.S. thanks for answering, I swear I could hear the crickets chirping at night when I asked this particular question ;) |
I do not use linblock, but I have just looked at the source of it.
If the linblock system actually adds an iptables rule for each IP, and its thousands of rules, it could take a bit of time to insert. Keep in mind EVERY packet your system handles will need to be examined by each rule, until it reaches a 'terminating condition'... this can increase network latency. Anyway, the other error is in the case that there are still rules pointing to the antip2p chain... not that there are rules in it. |
Quote:
Oh and the impact on the network can be reduced if you are running a stateful firewall and do Code:
iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p From: rootatfatmansite (Cron Daemon) To: rootatfatmansite Subject: Cron <rootatfatman> iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20050630051502.F22EC12B4F@fatman.site> Date: Thu, 30 Jun 2005 00:15:02 -0500 (CDT) /bin/sh: iptables: command not found I am sure iptables is in roots path do I have to call iptables like this /somepath/iptables because I cannot seem to find where it resides? thanks again |
Clearly, the path during CRON is /usr/bin:/bin (marked in the email). iptables is usually /sbin/iptables. As root, run 'which iptables' to confirm this.
|
Quote:
Still the question of how to correct the iptables too many links problem is open Quote:
|
You cannot have ANY rules which contain '-j CHAINTODELETE' when you are deleting a chain. You must delete the 'iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p' rule BEFORE deleting the antip2p chain.
|
All times are GMT -5. The time now is 08:11 PM. |