iptables out of memory?
H. Kurth Bemis
kurth at kurthbemis.com
Fri Jan 23 11:54:53 EST 2009
This is something I haven't seen mention of;
While it might seem logical to block SPAM sources at the network level,
I would feel that you could be blocking legitimate mail/users at the
same time. Many SPAM sources are mis-configured mail servers and
botnets. While using iptables seems like a good idea, you're going to
end up blocking more then half of the IP space.
I would recommend using Spamhaus's ZEN blocklist
(http://www.spamhaus.org/zen/index.lasso). It is much more reactive to
listing and de-listing hosts then your iptables solution.
~k
On Fri, 2009-01-23 at 11:25 -0500, Tom Buskey wrote:
>
>
> On Fri, Jan 23, 2009 at 11:06 AM, Kevin D. Clark
> <kevin_d_clark at comcast.net> wrote:
>
> Alan Johnson writes:
>
> > I'm using a simple `iptables -A INPUT -s $ipa -j DROP` in a
> script to block
> > known spammers that show up in my mail log. I created a
> seperate script to
> > purge out some older offenders but I broke it (now fixed)
> and at about 123K
> > blocked IPAs, I get "iptables: Memory allocation problem"
> messages until I
> > remove some of them.
> >
> > Is iptables really limited to that many records or
> something? Can I tweak
> > that somewhere? The machine has plenty of RAM free.
>
>
> Er....ummm....do you realize that this is a gigantic number of
> rules?
> As a matter of comparison, the number of BGP routing prefixes
> in use
> on the general Internet today runs at around 300k, and the
> machines
> that handle these tables are specialized machines that are
> *highly*
> optimized for handling these tables.
>
> I doubt that iptables is optimized to efficiently handle
> tables of
> this scale. Even if you were to find a preprocessor #define
> in the
> code that controlled the size of some internal table in the
> runtime,
> you still wouldn't be out of the woods.
>
> Given all this, would it be possible to use something like denyhosts
> to block IPs?
>
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
More information about the gnhlug-discuss
mailing list