We have a server with a Quad-Core AMD Opteron Processor 2378. It acts as our firewall for several servers. I've been asked to block all IPs from China.
In a separate network, we have some small VPS machines (256MB and 512MB). I've been asked to block china on those VPS's as well.
I've looked online and found lists which requires 4500 block rules. My question is will putting in all 4500 rules be a problem? I know iptables can handle far more rules than that, what I am concerned about is since these are blocks that I don't want to have access to any port, I need to put these rules before any allow. This means all legitimate traffic needs to be compared to all those rules before getting through. Will the traffic be noticeably slower after implementing this? Will those small VPS's be able to handle processing that many rules for every new packet (I'll put an established allow before the blocks)?
My question is not How many rules can iptables support?, its about the effect that these rules will have on load and speed.
Thanks.
Best Answer
It will support that many rules, but you really wouldn't want to traverse a chain of 4500 rules.
As @Zoredache pointed out you could also binary split the chains. If you did it perfectly you could drop the number of chain traversals to 13.
The simplest way to do this is with ipsets.
I am using EL6 which provides support for this. Obviously I dont know all the chinese netblocks so I'm just filling this with garbage..
Then add a rule to IPtables to match on that set and drop traffic..
This is much more efficient and faster than standard rule chains.