On 07/15/2011 12:47 PM, CDR wrote:
I need to keep out all connection from 5 countries, which originate most of the Denial of Service attacks. The entries are around 9000 if used as xx.xx.0.0/16. I heard that there is a smarter way to do this by using User Tables in iptables, that will keep the speed equal to LOG(x). I already tried using a straight list and it kills the box. Unless a smarter way us found, there is no way to use iptables.
iptables is just a user-space configuration interface to the Linux kernel netfilter. The netfilter uses complex hash tables and other data structures to ensure that packet forwarding rules are looked up in as close to O(1) as possible, not even LOG(n)--LOG(n) would be way too expensive.
Other than conventional Cisco router access lists (notwithstanding compiled lists an TurboACL), I don't know of any other packet filter in the universe that does not do similarly. No packet filter would apply a flat list, not the Linux netfilter, not the BSD packet filter, not even Windows.
I am not sure what you mean by "User Tables" or in what context you "already tried using a straight list"? What list? Where? Illuminating that information would go a long way toward solving your question.
Also, don't post as "CDR". That's just retarded. -- Alex -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users