5

I have CentOS 7, Plesk 12, 8GB RAM VPS.

I have around 1000 rules in my IPtables to block abusive users. But when reloading IPtables it takes 15 seconds to reload all 1000 rules.

First of all, is it an expected outcome to reload IPtables in 15 seconds if there are 1000 rules? This comes a bit slow to me. Fairly, my server is idle and any other thing runs pretty fast. Is it a misconfiguration on my server or is it normal?

So I wanted to install IPset but it is not available for my VPS because it uses OpenVZ. IPset is simply not available for OpenVZ.

What other alternative do I have other than IPset to decrease IPtables rules?

NecNecco
  • 211
  • 2
  • 8
  • +1. I wonder this too, it's painfully slow and I would like to speed it up. As a somewhat humorous note: We use APF since it's quick and easy, works with fail2ban, cpHulk, etc. Due to the constant torrent of bullsh*t from Russia/Ukraine/China/India/OVH, there are 19,000 blocked IP's, ranges, and ASN's in deny_hosts.rules which consequently piggybacks on top of iptables. The last time I purged/restarted APF, which mitigated iptables, it took about 30 minutes. Yikes. Bonus question, how do i make this [APF] purge/restart schema faster? – dhaupin Apr 13 '16 at 15:11
  • 1
    Your other alternative is to not use OpenVZ based VPSes. – Michael Hampton Apr 13 '16 at 16:39
  • It is a solution but finding a reliable hosting company and migrating is another problem. – NecNecco Apr 13 '16 at 16:47
  • This solution might help and might be related: https://serverfault.com/questions/334885/use-iptables-or-null-route-for-blacklisting-about-1-million-ip-addresses/335070#335070 – 16851556 Oct 08 '16 at 13:57
  • Did you try downloading and compiling ipset from source code downloadable from netfilter.org? – cybernard Jan 02 '18 at 03:37

1 Answers1

0

You can replace ipset by the three of iptables chains. https://github.com/netoptimizer/IPTables-SubnetSkeleton module generates them, but lacks documentation and examples.

Small SubnetSkeleton usage example can be found here: http://www.slideshare.net/brouer/netfilter-making-large-iptables-rulesets-scale (at slide 16).

user2743554
  • 357
  • 3
  • 12