From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: randomly changing IPs from different subnets (Google Mail)
Date: Wed, 23 Jun 2010 11:33:55 +0200 [thread overview]
Message-ID: <4C21D503.9040505@chello.at> (raw)
In-Reply-To: <DC83A9D5-A181-42B0-9FED-13EB46F2D24A@gmail.com>
On 23.06.2010 10:53, Florian Effenberger wrote:
>
> Am 22.06.2010 um 21:16 schrieb Lars Nooden:
> >
>> The chain is a drop-through list of ip addresses that you have decided are good. Then make a rule or pair of rules to send tcp traffic for port 993 and port 537 to that user-defined chain.
>
> If I run a script every 60 seconds per cron and add the hostname, it will automatically add all IPs returned by the DNS at that time. However, this changes randomly, and change time is not predictable.
>
> If I add ten times the host and it resolves to the same IP, iptables doesn't recognize that, and I have 10 similar rules. Is there any check for duplicates possible?
>
> If not, how many entries can the table have before it gets sluggish and slow? If I add two rules every 60 seconds, that would make 120 per hour, 2880 per day. Is that too much, do I need to purge them before? I have no experience with large filtering tables...
>
> Florian--
ipset
http://ipset.netfilter.org/
is the answer to that problem, if you insist on doing it with iptables.
all your cron job would have to do is to (pseudo code):
ipset --list gmailset
diff newlist oldlist
ipset --add new_entries
ipset --del dead_IPs
you might have to tinker with your kernel before.
best regards
Mart
next prev parent reply other threads:[~2010-06-23 9:33 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-22 18:16 randomly changing IPs from different subnets (Google Mail) Florian Effenberger
2010-06-22 18:19 ` Jan Engelhardt
2010-06-22 18:30 ` Florian Effenberger
2010-06-22 19:16 ` Lars Nooden
2010-06-23 8:53 ` Florian Effenberger
2010-06-23 9:33 ` Mart Frauenlob [this message]
2010-06-23 16:46 ` Florian Effenberger
2010-06-23 11:52 ` Lars Nooden
2010-06-23 11:54 ` Jan Engelhardt
2010-06-23 13:47 ` Lars Nooden
2010-06-23 13:52 ` John Haxby
2010-06-23 14:12 ` /dev/rob0
2010-06-23 14:36 ` Documentation (was Re: randomly changing IPs from different subnets (Google Mail)) Lars Nooden
2010-06-23 15:13 ` /dev/rob0
2010-06-23 16:00 ` Jan Engelhardt
2010-06-23 16:15 ` Lars Nooden
2010-06-23 16:36 ` Jan Engelhardt
2010-06-23 18:34 ` Grant Taylor
2010-06-23 18:41 ` Jan Engelhardt
2010-06-23 18:53 ` Grant Taylor
2010-06-24 6:17 ` Andrew Beverley
2010-06-24 16:45 ` Grant Taylor
2010-06-23 16:44 ` randomly changing IPs from different subnets (Google Mail) Florian Effenberger
2010-06-23 18:36 ` Grant Taylor
2010-06-22 19:18 ` Jan Engelhardt
2010-06-22 18:55 ` Jeff Largent
2010-06-23 1:09 ` /dev/rob0
2010-06-23 1:22 ` Mike Lay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C21D503.9040505@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.