performance block countries using iptables /netfilter
Posted
by
markus
on Server Fault
See other posts from Server Fault
or by markus
Published on 2012-09-12T08:30:34Z
Indexed on
2012/09/12
9:39 UTC
Read the original article
Hit count: 342
It's easy to block IPs from country using iptables (e.g. like http://www.cyberciti.biz/faq/block-entier-country-using-iptables/). However I read that the performance can go down if the deny list get too large. An alternative is installing the iptables geoip patch or using ipset ( http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/) instead of iptables.
Does anyone have experience with the various approaches and can say something about the performance differences ?
Are there are other ways to block country IPs in linux which I did't mentioned above?
© Server Fault or respective owner