From: Julien Vehent <julien@linuxwall.info>
To: Sven-Haegar Koch <haegar@sdinet.de>
Cc: Michael Schwartzkopff <misch@multinet.de>,
netfilter <netfilter@vger.kernel.org>
Subject: Re: SpamHaus DROP list in Netfilter
Date: Wed, 17 Dec 2008 11:03:45 +0100 [thread overview]
Message-ID: <b5bf21ccb8eea16bc596892e7c640deb@localhost> (raw)
In-Reply-To: <alpine.DEB.2.00.0812161854080.11699@aurora.sdinet.de>
On Tue, 16 Dec 2008 18:55:10 +0100 (CET), Sven-Haegar Koch
<haegar@sdinet.de> wrote:
> On Tue, 16 Dec 2008, Julien Vehent wrote:
>
>> On Tue, 16 Dec 2008 16:04:36 +0100, Michael Schwartzkopff
>> <misch@multinet.de> wrote:
>> > Am Dienstag, 16. Dezember 2008 15:27 schrieben Sie:
>> >> Hi All,
>> >>
>> >> I was wondering how I could integrate the spamhaus drop list
>> >> (http://www.spamhaus.org/drop/drop.lasso) into my Netfilter rules.
>> >>
>> >> The list is not too long, so I thought putting it directly into a new
>> >> chain
>> >> would be doable without degrading too much the performances. Somebody
>> >> also
>> >> told me to use a chains tree, but I wonder if this is necessary
>> >> considering
>> >> the size of the list...
>> >>
>> >> Has anybody done this before ?
>> >>
>> >> Thanks,
>> >> Julien
>> >
>> > google von "iptables spamhaus" gives you the site:
>> >
>>
http://robotterror.com/site/wiki/aggressive_spam_and_zombie_blocking_via_spamhaus_org_drop_and_iptables
>> >
>> > on the first place.
>> >
>> > Cheers,
>> >
>>
>> Dear Doctor,
>>
>> Thanks for your tremendous help for adding a rule in a chain...... :/
>>
>> My question, however, concerns more the performances issue. This list
>> will
>> be checked for every single TCP-SYN or UDP packet that goes through the
>> kernel, and if the first byte is something like 128 , it's definitely
>> useless to try all the 91.*
>>
>> But implementing a tree of chains in netfilter is also quite a pain in
>> the
>> ass. So before choosing a solution, I would like the opinion of the
>> community.
>
> This sounds like a job for the "iphash" map of the ipset netfilter
> extension. Only one rule in your ruleset and a hash-table with the
> addresses to block.
>
> c'ya
> sven
>
OK ! So, this is what ipset is for ! I discovered this tool during the last
userday conference and was wondering how to use it.
I guess "nethash" is what I'm looking for :
Different size netblocks: nethash
ipset -N hash2 nethash
ipset -A hash2 192.168.1.0/24
ipset -A hash2 10.1.8.0/21
I will look more deeply at this. Thanks for the pointer.
--
www.linuxwall.info
prev parent reply other threads:[~2008-12-17 10:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-16 14:27 SpamHaus DROP list in Netfilter Julien Vehent
[not found] ` <200812161604.37183.misch@multinet.de>
2008-12-16 16:30 ` Julien Vehent
2008-12-16 17:55 ` Sven-Haegar Koch
2008-12-17 10:03 ` Julien Vehent [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b5bf21ccb8eea16bc596892e7c640deb@localhost \
--to=julien@linuxwall.info \
--cc=haegar@sdinet.de \
--cc=misch@multinet.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.