Iptables – How Many Rules Can Iptables Support

Since you're having problems, I would start by simplyfing your configuration. Get rid of all the extraneous rules until you have a basic configuration working. That is, start with:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

And make sure you have the necessary sysctl set:

# sysctl -w net.ipv4.ip_forward=1

And now see if things work. If they do work, slowly start making changes. If they don't work, let us know and we'll proceed from there.

It will support that many rules, but you really wouldn't want to traverse a chain of 4500 rules.

As @Zoredache pointed out you could also binary split the chains. If you did it perfectly you could drop the number of chain traversals to 13.

The simplest way to do this is with ipsets.

I am using EL6 which provides support for this. Obviously I dont know all the chinese netblocks so I'm just filling this with garbage..

ipset create china hash:net
ipset add china 1.2.3.0/24
ipset add china 2.4.0.0/16
ipset add china 123.0.0.0/8
ipset add china 145.12.5.0/24

Then add a rule to IPtables to match on that set and drop traffic..

iptables -I INPUT -m set --match-set china src -j DROP

This is much more efficient and faster than standard rule chains.