[pve-devel] Creating of a 2nd blacklist with many blocked IPs

Cesar Peschiera brain at click.com.py
Mon Oct 27 14:15:49 CET 2014


@Dmitry:
Excuse me please, I did not express properly, what I meant is that with
130.000 IP addresses and 1 rule in iptables, this rule will check 130.000 IP
address, and in this case, i believe that this firewall will be very slow
due to that for each network packet, iptables will check a lot of IP
address. It is for this reason that other developers created this
"Xtables-Addons" for iptables.

@Dietmar:
If PVE have the "Xtables-Addons" in his firewall, the PVE firewall will have
these benefits:
1) Can do the checks of all network packets very quickly of many IP address
(thousands, and maybe millions of IP address).
2) The files that have the set of IP address for countries will be in a
small databases, ie in very small files, now I have all the databases with
IPv4 and IPv6 addresses included for all countries of the world in a total
of 3 MB of space of disk.
3) As "Xtables-Addons" mainly is used for do in only a rule of iptables
(that affect to all a country) the actions to perform, then PVE firewall
will be able have a new feature highly optimized: IPsets by countries.

This is a example of a firewall rule for china:
iptables -I INPUT -m geoip --src-cc CN -j DROP

And this is other firewall rule for several countries:
(i don't know why i only can have 15 countries for each line of firewall, so
I should use some more lines of iptables for have more countries included)
iptables -I INPUT -m geoip --src-cc
CN,IL,RU,IR,NO,SE,FI,DK,DE,AL,BY,BG,SK,HU,MD -j DROP

4) Also is possible to update the IP addresses of the countries very easily
in a data base format (i use a bash script), please see this web link that
is my source of this database (IPv4 and IPv6 included):
http://dev.maxmind.com/geoip/legacy/geolite/

Any question, only let me to know it.

Best regards
Cesar Peschiera

----- Original Message ----- 
From: "Dmitry Petuhov" <mityapetuhov at gmail.com>
To: <pve-devel at pve.proxmox.com>
Sent: Monday, October 27, 2014 1:50 AM
Subject: Re: [pve-devel] Creating of a 2nd blacklist with many blocked IPs


> 27.10.2014 0:31, Cesar Peschiera пишет:
>> I guess that your firewall not be functioning optimally if you add the
>> 130.00 rules in ipset, due to that for each network packet the firewall
>> must
>> do 130.000 checks.
> What? Did you mean plain list of single-address rules? Because IPSET
> [http://ipset.netfilter.org/ipset.man.html] is extremely fast at searching
> on large lists of addresses.
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>




More information about the pve-devel mailing list