I know the peformance is better than iptables alone, but since it is part of the kernel I was unable to monitor is CPU utilization.
If they are single IP addresses, first download cidrmerge and the list will probably a bit shorter.
I recommend iptables with ipset. Using iptables by itself will kill performance.
Each group can handle 65535 entries.
ipset create ban1 hash:net
ipset create ban2 hash:net
ipset create ban3 hash:net
ipset create ban4 hash:net
ipset create ban5 hash:net
ipset create ban6 hash:net
ipset create ban7 hash:net
saves all config including block list into text file
ipset save >config.txt
restores config from file
ipset restore
iptables -A INPUT -m set -j DROP --match-set ban1 src
iptables -A INPUT -m set -j DROP --match-set ban2 src
iptables -A INPUT -m set -j DROP --match-set ban3 src
iptables -A INPUT -m set -j DROP --match-set ban4 src
iptables -A INPUT -m set -j DROP --match-set ban5 src
iptables -A INPUT -m set -j DROP --match-set ban6 src
iptables -A INPUT -m set -j DROP --match-set ban7 src
**Current list:set is not working properly or you could do this
ipset create banned list:set
ipset add banned ban1
ipset add banned ban2
ipset add banned ban3
ipset add banned ban4
ipset add banned ban5
ipset add banned ban6
ipset add banned ban7
iptables -A INPUT -m set -j DROP --match-set banned src
** end use this when they fix it**
you can script populating the list
You will have to break the list into groups of 65535.
cat badip1.txt |xargs -n1 ipset add ban1
cat badip2.txt |xargs -n1 ipset add ban2
finally save the config.(per above)
When you say "sites", do you mean domain names? IP addresses? Network blocks? – David Schwartz – 2014-02-24T20:26:38.450
Yes, I mean sites, like facebook, porn sites, etc. – nizx – 2014-03-10T10:08:47.733