Huge numbers of iptables rules to knock out spam/viruses

I'm trying to come up with a way to load the spamhaus IP lists and
various other IP lists into my firewall to knock out a lot of spam and
crap that we get hit with. Our setup is a Debian woody box with kernel
2.4.25, iptables v1.2.9, bridge-utils 0.9.6, and the
ebtables-brnf-5_vs_2.4.25 patch. Hardware is a 2.4ghz Dell Optiplex
using built-in gigabit Intel and also an Intel Pro/100, however, the
outside interface is set at 10mbit so it's not a whole heck of a lot
of traffic.

We're bridging the two interfaces and I'm firewalling using the
Forward tables mostly. The rules are set to jump to a special SPAM
table with all of the DROP statements. It's only jumping to this table
for port 80/tcp, 53/tcp and 53/udp traffic. I dynamically load each
spam network (from /8's to /32's) at rule load and only after I check
that the list has been updated locally. At the end of the SPAM rule is
an accept to allow the traffic to pass.


The spam tables have about 3000-something rules in them right now and
it takes a little bit to load but seems to be doing okay. It uses a
bit of memory but it's nothing bad.

The other day the ruleset grew to 12,000 lines and it started loading
VERY slowly. iptables seems to not like it when you go over 5000 lines
or more. I decided to break the spam table out into supernets
(1.x.x.x, 2.x.x.x, etc) and load rules based on the first digits, but
that just increased my rule count and didn't really do anything
useful. One side-effect of all of this is my memory usage went through
the roof. Something like 300 megs or whatever unaccounted for in top
(I just assume in the kernel).


Is there a better way to accomplish what I want? We really do get hit
with a lot of traffic from these bozos and aren't too concerned about
false positives. I just want to decrease traffic and noise on my
boxes.


We're not routing, just bridging so I can't load up BGP and null-route
them all.

If anyone has any ideas, please let me know.. Thanks

Is it just me? I like my life to be simple, if I have a problem I solve
it in a simple way. Simple means that I try to understand how the system
works and than use the system to my advantage.

Having more than 50 lines of firewall rules seem to me a flawed design.
You want to drop most of the traffic, and permit certain things. You
want to filter email-spam and you want the optiplex as an firewall, and
also to a router to the internet.

then you want to:
allow outgoing port 80
allow outgoing port 53
allow incoming port 25
run an mta (mailserver or mailproxy) with spamfilter
and accepting only for your own domain.

dropping mailspammers by using a software router will never work
optimally, the performance of the entire system will be greatly effected
.. It's simply not worth it.

regards

Jeff wrote:
> I'm trying to come up with a way to load the spamhaus IP lists and
> various other IP lists into my firewall to knock out a lot of spam and
> crap that we get hit with. Our setup is a Debian woody box with kernel
> 2.4.25, iptables v1.2.9, bridge-utils 0.9.6, and the
> ebtables-brnf-5_vs_2.4.25 patch. Hardware is a 2.4ghz Dell Optiplex
> using built-in gigabit Intel and also an Intel Pro/100, however, the
> outside interface is set at 10mbit so it's not a whole heck of a lot
> of traffic.
>
> We're bridging the two interfaces and I'm firewalling using the
> Forward tables mostly. The rules are set to jump to a special SPAM
> table with all of the DROP statements. It's only jumping to this table
> for port 80/tcp, 53/tcp and 53/udp traffic. I dynamically load each
> spam network (from /8's to /32's) at rule load and only after I check
> that the list has been updated locally. At the end of the SPAM rule is
> an accept to allow the traffic to pass.
>
>
> The spam tables have about 3000-something rules in them right now and
> it takes a little bit to load but seems to be doing okay. It uses a
> bit of memory but it's nothing bad.
>
> The other day the ruleset grew to 12,000 lines and it started loading
> VERY slowly. iptables seems to not like it when you go over 5000 lines
> or more. I decided to break the spam table out into supernets
> (1.x.x.x, 2.x.x.x, etc) and load rules based on the first digits, but
> that just increased my rule count and didn't really do anything
> useful. One side-effect of all of this is my memory usage went through
> the roof. Something like 300 megs or whatever unaccounted for in top
> (I just assume in the kernel).
>
>
> Is there a better way to accomplish what I want? We really do get hit
> with a lot of traffic from these bozos and aren't too concerned about
> false positives. I just want to decrease traffic and noise on my
> boxes.
>
>
> We're not routing, just bridging so I can't load up BGP and null-route
> them all.
>
> If anyone has any ideas, please let me know.. Thanks

On Wed, 05 May 2004 08:03:18 -0700, Jeff wrote:

[snips]
> Is there a better way to accomplish what I want? We really do get hit
> with a lot of traffic from these bozos and aren't too concerned about
> false positives. I just want to decrease traffic and noise on my boxes.
>
spamassassin is your friend
http://spamassassin.rediris.es/index.html


B.
--
Hardware, n.:
The parts of a computer system that can be kicked.

Jan Geertsma <(E-Mail Removed)> wrote in message news:<c7b30h$4gi$(E-Mail Removed)>...
> Is it just me? I like my life to be simple, if I have a problem I solve
> it in a simple way. Simple means that I try to understand how the system
> works and than use the system to my advantage.
>
> Having more than 50 lines of firewall rules seem to me a flawed design.
> You want to drop most of the traffic, and permit certain things. You
> want to filter email-spam and you want the optiplex as an firewall, and
> also to a router to the internet.
>
> then you want to:
> allow outgoing port 80
> allow outgoing port 53
> allow incoming port 25
> run an mta (mailserver or mailproxy) with spamfilter
> and accepting only for your own domain.
>
> dropping mailspammers by using a software router will never work
> optimally, the performance of the entire system will be greatly effected
> . It's simply not worth it.
>


OK, let me clarify a bit.

On my internal hosts, we also filter through 20-something DNSBL's, we
run Spam Assassin on our linux hosts (With Vipul's Razor), and we also
run host-based firewalls. We use all current anti-relaying rules and
only accept mail for our own domains.

We're not just using the firewall to filter spam, but it curbs a LOT
of traffic hitting the boxes.


So that's why I'm asking about all the rules. This is a multi-tiered
approach. We're serious about dropping spam.

"Jeff" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
[snip]
> Is there a better way to accomplish what I want? We really do get hit
> with a lot of traffic from these bozos and aren't too concerned about
> false positives. I just want to decrease traffic and noise on my
> boxes.

Load up SpamAssassin (http://spamassassin.org) and get the add-on rules
at RulesEmporium (http://www.rulesemporium.com) then integrate it to
your MTA. Works like a charm to me. It cut down the spam by 90+% with
very small number of false positives. The key is to run it for a week
and tweak some scores to match your environment; for example, if you're
a pharmaceutical company you wouldn't want SpamAssassin to aggressively
knocks out any mail with drugs name in it.

Supak