This question has obviously been asked many times in many different forms, but I can't find an actual answer to the specific plan I've got. We run a popular European Commercial deals site, and are getting a large amount of incoming registrations/traffic from countries who cannot even take part in the deals we offer (and many of the retailers aren't even known outside Western Europe).
I've identified the problem area to block a lot of this traffic, but (as expected) there are thousands of IP ranges required.
My question now (finally!). On a test server, I created a script to block each range within iptables, but the amount of time it took to add the rules was large, and then iptables was unresponsive after this (especially when attempting a iptables -L).
What is the most efficient way of blocking large numbers of IP ranges:
- iptables? Or a plugin where I can
preload them efficiantly? - hosts.deny?
- .htaccess (nasty as I'd be running it
in apache on every load balanced web
server)?
Best Answer
as far as I understand, the question is not where to get the list of ip addresses that need to be blocked, but rather how to block them with iptables efficiently. A script that does series of "iptables -A" commands is going to take very long time to load rules and during this time firewall runs with inconsistent policy. This has significant impact on its performance, too.
I suggest you try module ipset ( http://ipset.netfilter.org/ ) . It allows you to manipulate tables of address blocks directly, you only need one iptables rule to match the whole set. You'll need to experiment with different types of sets to find the one that can accommodate the number of ip address blocks you need to block and give you performance you need. In any case it is much better at matching long lists of address blocks and allows you to reload it using command line tool without touching the rules.
Note that not all Linux distributions include ipsets in their default configuration so you may need to recompile kernel modules and iptables.
Country address blocks change from time to time so you'll need to update your address set periodically. To reload the set that is already being used you can use command line tool "ipset" and it is easy to wrap it in a shell script to automate the process. Or you could use fwbuilder to generate your iptables policy and use the script it generates to manage ipset as well ( http://www.fwbuilder.org/4.0/docs/users_guide/address-table-object.html , see "5.2.13.1. Using Address Tables Objects with iptables IP sets" in this chapter)