How many rules can iptables handle

At the end of the first 24 hours i was already blocking over 22' distinct ip's. I had to upgrade my linode with 90 extra mb of RAM from a linode but everything else was fine! After a week i had already blocked over 53' different ips. Everything ran like a charm and was still able to keep apache running untill eventually the bots stopped trying… :D :D. I suppose my now is nothing to worry about then :. I appreciate all the other suggestions, but so far I'm not terribly worried about the security of the system.

I think I'm going to hold out on port 22 until I see a more viable threat. You can use Markdown to format your question. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Does ES6 make JavaScript frameworks obsolete? Podcast Do polyglots have an edge when it comes to mastering programming Featured on Meta. Now live: A fully responsive profile. Linked 6. Related 4. Hot Network Questions. Question feed.

Server Fault works best with JavaScript enabled. Accept all cookies Customize settings. Improve this question. Gilles 'SO- stop being evil' k gold badges silver badges bronze badges.

Brendan Brendan 1 1 silver badge 9 9 bronze badges. Much more elegant. Does that work on CentOS 5. You'll need to compile nfblock though unless you find an. This is what IP Sets are for. Add a comment. Active Oldest Votes. OK, I figured it out. Improve this answer. That's what I did. I ran service iptables save before executing the script, so it was simple to revert using service iptables restart. If it's a bug in CentOS' kernel config, I'm not sure there's much I can do about that given that it's a virtual dedicated server can't do kernel modifications, afaik.

Mark Cohen Mark Cohen 1, 9 9 silver badges 12 12 bronze badges. Each chain can contain zero or more rules, and has a default policy.

The policy determines what happens when a packet drops through all of the rules in the chain and does not match any rule. You can either drop the packet or accept the packet if no rules match. Through a module that can be loaded via rules, iptables can also track connections.

This means you can create rules that define what happens to a packet based on its relationship to previous packets. For this guide, we are mainly going to be covering the configuration of the INPUT chain, since it contains the set of rules that will help us deny unwanted traffic directed at our server. The netfilter firewall that is included in the Linux kernel keeps IPv4 and IPv6 traffic completely separate. Likewise, the tools used to manipulate the tables that contain the firewall rulesets are distinct as well.

If you have IPv6 enabled on your server, you will have to configure both tables to address the traffic you server is subjected to. The regular iptables command is used to manipulate the table containing rules that govern IPv4 traffic. For IPv6 traffic, a companion command called ip6tables is used.

This is an important point to internalize, as it means that any rules that you set with iptables will have no affect on packets using version 6 of the protocol. The syntax between these twin commands is the same, so creating a ruleset for each of these tables is not too overwhelming. Just remember to modify both tables whenever you make a change.

The iptables command will make the rules that apply to IPv4 traffic, and the ip6tables command will make the rules that apply to IPv6 traffic. You must be sure to use the appropriate IPv6 addresses of your server to craft the ip6tables rules. Now that we know how iptables directs packets that come through its interface direct the packet to the appropriate chain, check it against each rule until one matches, issue the default policy of the chain if no match is found , we can begin to see some pitfalls to be aware of as we make rules.