1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • Re: how many iptables rules can a VPS have

    From Andy Smith@21:1/5 to Northwind on Sat May 25 00:30:01 2024
    Hi,

    On Sat, May 25, 2024 at 06:04:34AM +0800, Northwind wrote:
    I have been using a KVM vps with 2G ram, 2 cores.
    due to fail2ban jobs, iptables in this vps has dropped 3000+ black IPs.
    may I ask how max iptables rules the VPS can have?

    It depends upon the kind of rule but for a typical fail2ban rule I'd
    expect the number to be in the tens or hundreds of millions range
    for a host with 2G memory.

    does many iptables rules influence the networking performance?

    Yes. Each rule consumes memory and checking against all rules uses
    more and more CPU on each incoming packet.

    You will likely get better performance if you switch to nftables and
    use an ipset to hold all the bans, though I've no idea how easy
    that is to configure with fail2ban.

    Also if you switched to blackhole routes (which would block all
    traffic, not just TCP on the SSH port) that is likely to be less CPU
    work for the kernel too. I believe that's the "route" action in
    fail2ban.

    Thanks,
    Andy

    --
    https://bitfolk.com/ -- No-nonsense VPS hosting

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Northwind@21:1/5 to All on Sat May 25 00:20:01 2024
    Hello

    I have been using a KVM vps with 2G ram, 2 cores.
    due to fail2ban jobs, iptables in this vps has dropped 3000+ black IPs.
    may I ask how max iptables rules the VPS can have?
    does many iptables rules influence the networking performance?

    Thanks

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michael Grant@21:1/5 to Andy Smith on Sat May 25 08:10:01 2024
    On 24 May 2024 23:23:44 BST, Andy Smith <andy@strugglers.net> wrote:
    You will likely get better performance if you switch to nftables and
    use an ipset to hold all the bans, though I've no idea how easy
    that is to configure with fail2ban.

    It's easy, supported out of the box. I have been using nftables for years with f2b. Cleaner looking, easier to read rules, structured syntax. I like it.

    I can't speak to the performance, i don't have any way to test that.

    Michael Grant

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)