From: Julien Vehent <julien@linuxwall.info>
To: Sven-Haegar Koch <haegar@sdinet.de>
Cc: Michael Schwartzkopff <misch@multinet.de>,
netfilter <netfilter@vger.kernel.org>
Subject: Re: SpamHaus DROP list in Netfilter
Date: Wed, 17 Dec 2008 11:03:45 +0100 [thread overview]
Message-ID: <b5bf21ccb8eea16bc596892e7c640deb@localhost> (raw)
In-Reply-To: <alpine.DEB.2.00.0812161854080.11699@aurora.sdinet.de>
On Tue, 16 Dec 2008 18:55:10 +0100 (CET), Sven-Haegar Koch
<haegar@sdinet.de> wrote:
> On Tue, 16 Dec 2008, Julien Vehent wrote:
>
>> On Tue, 16 Dec 2008 16:04:36 +0100, Michael Schwartzkopff
>> <misch@multinet.de> wrote:
>> > Am Dienstag, 16. Dezember 2008 15:27 schrieben Sie:
>> >> Hi All,
>> >>
>> >> I was wondering how I could integrate the spamhaus drop list
>> >> (http://www.spamhaus.org/drop/drop.lasso) into my Netfilter rules.
>> >>
>> >> The list is not too long, so I thought putting it directly into a new
>> >> chain
>> >> would be doable without degrading too much the performances. Somebody
>> >> also
>> >> told me to use a chains tree, but I wonder if this is necessary
>> >> considering
>> >> the size of the list...
>> >>
>> >> Has anybody done this before ?
>> >>
>> >> Thanks,
>> >> Julien
>> >
>> > google von "iptables spamhaus" gives you the site:
>> >
>>
http://robotterror.com/site/wiki/aggressive_spam_and_zombie_blocking_via_spamhaus_org_drop_and_iptables
>> >
>> > on the first place.
>> >
>> > Cheers,
>> >
>>
>> Dear Doctor,
>>
>> Thanks for your tremendous help for adding a rule in a chain...... :/
>>
>> My question, however, concerns more the performances issue. This list
>> will
>> be checked for every single TCP-SYN or UDP packet that goes through the
>> kernel, and if the first byte is something like 128 , it's definitely
>> useless to try all the 91.*
>>
>> But implementing a tree of chains in netfilter is also quite a pain in
>> the
>> ass. So before choosing a solution, I would like the opinion of the
>> community.
>
> This sounds like a job for the "iphash" map of the ipset netfilter
> extension. Only one rule in your ruleset and a hash-table with the
> addresses to block.
>
> c'ya
> sven
>
OK ! So, this is what ipset is for ! I discovered this tool during the last
userday conference and was wondering how to use it.
I guess "nethash" is what I'm looking for :
Different size netblocks: nethash
ipset -N hash2 nethash
ipset -A hash2 192.168.1.0/24
ipset -A hash2 10.1.8.0/21
I will look more deeply at this. Thanks for the pointer.
--
www.linuxwall.info
prev parent reply other threads:[~2008-12-17 10:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-16 14:27 SpamHaus DROP list in Netfilter Julien Vehent
[not found] ` <200812161604.37183.misch@multinet.de>
2008-12-16 16:30 ` Julien Vehent
2008-12-16 17:55 ` Sven-Haegar Koch
2008-12-17 10:03 ` Julien Vehent [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b5bf21ccb8eea16bc596892e7c640deb@localhost \
--to=julien@linuxwall.info \
--cc=haegar@sdinet.de \
--cc=misch@multinet.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox