6/18/2023 0 Comments Locad ipset before iptables![]() ipset uses Jenkins3 for hashing, which has a certain time cost of its own. Xt_geoip's lookup time is O(log2(ranges)), so to lookup an address within 20,000 ranges, at most 15 iterations each with address comparisons (at most 3) are required. User reports 1 indicate it can become two orders of magnitude higher in certain cases (iptreemap). The memory footprint with an ipset-based geoip thus is naturally larger. Furthermore, if a hash set type is used, you can assume that, by the nature of hashes and/or trees, some buckets remain empty and/or additional metadata is required. Since ipset does not support arbitrary IPaddr–IPaddr ranges, one would need to approximate that using, for example, multiple Network/Prefixlength entries. Loading one country into the kernel costs as much as the file on disk. Xt_geoip uses the (probably) most efficient format, a (non-compressed) packed blob. You can certainly use more than one ipset, which is probably the best thing to do here.)Ĭould you use the xt_geoip xtables addon instead? (Note that I pulled a list from that web site and tried to aggregate them and nothing happened, so they may already be aggregated. For example, 203.97.2.0/24Īnd 203.97.3.0/24 can be combined into the single prefix 203.97.2.0/23.Īggregate is packaged in most major Linux distributions, including Ubuntu. The second optimisation identifies adjacent prefixes that can be com‐īined under a single, shorter-length prefix. Perfluous because they are already included in another supplied prefix.įor example, 203.97.2.0/24 would be removed if 203.97.0.0/17 was also ![]() The first optimisation is to remove any supplied prefixes which are su‐ Two optimisations to attempt to reduce the length of the prefix list. Takes a list of prefixes in conventional format on stdin, and performs It also removes redundant netblocks.įor example: $ aggregate -q 192.168.0.0/24įeed it a text file containing only your CIDR blocks and it will attempt to aggregate them, reducing the size of the list. It takes a list of CIDR netblocks and aggregates consecutive blocks into the corresponding larger block. There is a command line utilty named aggregate. I do not think there is any easy way to make the entries less, so any advice regarding implementation and performance issues please. Finally, I do not claim to understand CIDR enough to make this list smaller (aggregate similar IP ranges if possible).įor instance, there are several /21 entries : 185.179.152.0/22Īn online tool shows this resolves to : 185.179.If that is the case, what is the way to do this? At the moment I use fail2ban but I do not think the configuration for nginx is correctly setup (I assume regex).Would this massive list slow down my server when using ipset (before attempting this using only IPtables I questioned such a large file might slow performance.).I selected the 5 countries that target our sites regularly, but the list is huge, 256000 rows. I found this site to generate a list of IPs to ban by country. I have only installed ipset but have not configured it yet. It is suggested to use ipset in combination with iptables. I have read some answers here about blocking IP address ranges, and have already used iptables for this purpose before.
0 Comments
Leave a Reply. |