Mailinglist Archive: opensuse (929 mails)

< Previous Next >
Re: [opensuse] iptables: is PREROUTING nat before or after PREROUTING filter?
On Monday, March 24, 2014 03:13:10 AM Timothy Butterworth wrote:
If you are simply going to drop all packets silently (recommend) then use
the iptables hash function as it uses less memory and processes faster as
well. Their are a lot of examples available on the internet. If you are
allowing established connections and have not implemented deny by default
permit by exception in and out then place this above your established
statements inbound. Also use supernet to block their entire country range
to reduce the number of entries. You can also make statements to block
outbound as well Mascarade is not an issue with this make sure you are
blocking as source inbound and destination outbound.

I am on my cell I'll take a look at your attachment when I get a chance.

On Mar 24, 2014 2:07 AM, "Per Jessen" <per@xxxxxxxxxxxx> wrote:
Stefan Gofferje wrote:
Hi,

I have fairly enough of certain probes and am planning to completely
block all known networks from China as well as from Gaza/.ps.
Respective CSV files are available.

The more interesting question is, where do I put the rules as
intelligently as possible? I want to block the IPs for INPUT (to the
fw host itself) as well as for FORWARD, but simply pushing the rules
twice, once into each chain, appears a huge waste of mem to me (those
are quite a couple of rules...).

Do you need the memory for anything else ? :-)



--
Per Jessen, Zürich (3.9°C)
http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx
Here is an article that describes an easy way to implement a full country
block.
http://www.itworld.com/security/397733/how-block-traffic-other-countries-linux

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups