[PLUG] IPtables vs .htaccess
Tim
tim-pdxlug at sentinelchicken.org
Thu Jan 27 23:49:03 UTC 2011
> Which method of blocking large numbers of IPs is the least consumptive
> of system resources?
iptables is most likely more efficient, though it may be harder to
manage. I also am not sure how well it scales when you have thousands
of individual IP addresses. However, it is efficient for blocking
groups of IPs.
> I have been using IPtables for several years but
> am curious as to whether it is the best way to go when blocking hundreds
> of IPs - like maybe for ALL of China and/or Korea for instance.
You may want to rethink the approach of blocking whole countries.
For some time a friend of mine was blocking all of China and Korea to
cut down on spam. However, just recently he was workign for a client
in one of those countries and just couldn't figure out why he couldn't
receive their email. He had forgotten about the blocking.
There's no telling if/when you'll run into similar issues, and it may
not be related to traffic you can anticipate will go to/from those
countries. (Think geographically distributed services you use every
day.)
A better approach to cut down on noise might be to block traffic from
IPs on public blacklists like the spamhaus XBL:
http://www.spamhaus.org/xbl/
I'm not sure if that specific blacklist is convenient to use with
iptables, but that would be a better approach in my book.
HTH,
tim
More information about the PLUG
mailing list