IPSet Log and drop.

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Thu Apr 21 20:15:33 CEST 2005

On Thu, 21 Apr 2005, Rob Carlson wrote:

> I'm currently using ipset to block some large
> blocks of addresses.  It seems to be working well,
> but a couple of rogue emails have gotten through.

E-mails? You are fully aware that E-mail headers are trivial to forge,
aren't you. Have you checked the sender machines in the Received lines?

> I've found that with vanilla IPTables, to log and
> block one sets up two rules, first the LOG
> statement, then immediately following, the DROP
> statement.  However since I am using a nethash in
> IPSet, I wonder if this approach would work, or
> whether scanning the hash twice to invoke each
> operation would be counter to the reason for using
> the IPset nethash.

ipset set types are really fast. It's hard to say, which is faster:
the rules

> iptables -A testhash -m set --set testhash src -j LOG
> iptables -A testhash -m set --set testhash src -j DROP


iptables -N logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP
iptables -A testhash -m set --set testhash src -j logdrop

In the first case there is an additional set lookup, in the second case
there are four [six]) additional "wildcard" builtin matches (src, dst,
inface, outface, [proto, frag]) and one jump.

Probably the latter one is a teeny bit faster with a few cycles: hash key
computations are just more expensive operations than simple matches.

Best regards,
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

More information about the netfilter mailing list