performance block countries using iptables /netfilter

Posted by markus on Server Fault See other posts from Server Fault or by markus
Published on 2012-09-12T08:30:34Z Indexed on 2012/09/12 9:39 UTC
Read the original article Hit count: 314

Filed under:
|
|

It's easy to block IPs from country using iptables (e.g. like http://www.cyberciti.biz/faq/block-entier-country-using-iptables/). However I read that the performance can go down if the deny list get too large. An alternative is installing the iptables geoip patch or using ipset ( http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/) instead of iptables.

Does anyone have experience with the various approaches and can say something about the performance differences ?

Are there are other ways to block country IPs in linux which I did't mentioned above?

© Server Fault or respective owner

Related posts about linux

Related posts about Performance