Hi, On Sat, May 25, 2024 at 06:04:34AM +0800, Northwind wrote: > I have been using a KVM vps with 2G ram, 2 cores. > due to fail2ban jobs, iptables in this vps has dropped 3000+ black IPs. > may I ask how max iptables rules the VPS can have?
It depends upon the kind of rule but for a typical fail2ban rule I'd expect the number to be in the tens or hundreds of millions range for a host with 2G memory. > does many iptables rules influence the networking performance? Yes. Each rule consumes memory and checking against all rules uses more and more CPU on each incoming packet. You will likely get better performance if you switch to nftables and use an ipset to hold all the bans, though I've no idea how easy that is to configure with fail2ban. Also if you switched to blackhole routes (which would block all traffic, not just TCP on the SSH port) that is likely to be less CPU work for the kernel too. I believe that's the "route" action in fail2ban. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
