iptables out of memory?

H. Kurth Bemis kurth at kurthbemis.com
Fri Jan 23 11:54:53 EST 2009 

This is something I haven't seen mention of;

While it might seem logical to block SPAM sources at the network level,
I would feel that you could be blocking legitimate mail/users at the
same time.  Many SPAM sources are mis-configured mail servers and
botnets.  While using iptables seems like a good idea, you're going to
end up blocking more then half of the IP space.

I would recommend using Spamhaus's ZEN blocklist
(http://www.spamhaus.org/zen/index.lasso). It is much more reactive to
listing and de-listing hosts then your iptables solution.

~k

On Fri, 2009-01-23 at 11:25 -0500, Tom Buskey wrote:
> 
> 
> On Fri, Jan 23, 2009 at 11:06 AM, Kevin D. Clark
> <kevin_d_clark at comcast.net> wrote:
>         
>         Alan Johnson writes:
>         
>         > I'm using a simple `iptables -A INPUT -s $ipa -j DROP` in a
>         script to block
>         > known spammers that show up in my mail log.  I created a
>         seperate script to
>         > purge out some older offenders but I broke it (now fixed)
>         and at about 123K
>         > blocked IPAs, I get "iptables: Memory allocation problem"
>         messages until I
>         > remove some of them.
>         >
>         > Is iptables really limited to that many records or
>         something?  Can I tweak
>         > that somewhere?  The machine has plenty of RAM free.
>         
>         
>         Er....ummm....do you realize that this is a gigantic number of
>         rules?
>         As a matter of comparison, the number of BGP routing prefixes
>         in use
>         on the general Internet today runs at around 300k, and the
>         machines
>         that handle these tables are specialized machines that are
>         *highly*
>         optimized for handling these tables.
>         
>         I doubt that iptables is optimized to efficiently handle
>         tables of
>         this scale.  Even if you were to find a preprocessor #define
>         in the
>         code that controlled the size of some internal table in the
>         runtime,
>         you still wouldn't be out of the woods.
> 
> Given all this, would it be possible to use something like denyhosts
> to block IPs? 
> 
> 
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

More information about the gnhlug-discuss mailing list