have a large number of drops for a specific port, it might be useful to
send a single port to its own chain, then deal with the drops for more
specific hosts and networks in that chain. So if you had a seperate
chain for port 80, packets destined for port 25 or whatever would skip
over checking all the port 80 rules.
So something like this:
/sbin/iptables -N port80
/sbin/iptables -A port80 -s 64.1.2.3/32 -d 0/0 -j DROP
/sbin/iptables -A port80 -s 24.5.6.0/24 -d 0/0 -j DROP
/sbin/iptables -A port80 -s 10.0.0.0/8 -d 0/0 -j DROP
/sbin/iptables -A port80 -s 0/0 -d 0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 80 -j port80
/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j DROP
So I think now that port 25 packets will only have to check 2 rules
instead of 5 because they won't have to go through the chain of port 80
rules. Now I'm curious to see how much of a difference it makes. I'll
have to test it.
On Thu, Sep 10, 2009 at 02:23:10PM GMT, Scott Blaydes [sblaydes@gmail.com] said the following:
> Okay, I am starting to get into some really long DROP lists in my
> IPtables config and was wondering what others on the list thought
> about best placement of the DROPs vs ACCEPTs. Do you have your drops
> early in the file so that they blocks IPs get denied as quickly as
> possible or do you have your allows earlier in the file?
>
> Is one way really more efficient than the other?
>
> Thank you,
> Scott Blaydes
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
--
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment