Huge numbers of iptables rules to knock out spam/viruses

Discussion in 'Linux Networking' started by Jeff, May 5, 2004.

  1. Jeff

    Jeff Guest

    I'm trying to come up with a way to load the spamhaus IP lists and
    various other IP lists into my firewall to knock out a lot of spam and
    crap that we get hit with. Our setup is a Debian woody box with kernel
    2.4.25, iptables v1.2.9, bridge-utils 0.9.6, and the
    ebtables-brnf-5_vs_2.4.25 patch. Hardware is a 2.4ghz Dell Optiplex
    using built-in gigabit Intel and also an Intel Pro/100, however, the
    outside interface is set at 10mbit so it's not a whole heck of a lot
    of traffic.

    We're bridging the two interfaces and I'm firewalling using the
    Forward tables mostly. The rules are set to jump to a special SPAM
    table with all of the DROP statements. It's only jumping to this table
    for port 80/tcp, 53/tcp and 53/udp traffic. I dynamically load each
    spam network (from /8's to /32's) at rule load and only after I check
    that the list has been updated locally. At the end of the SPAM rule is
    an accept to allow the traffic to pass.


    The spam tables have about 3000-something rules in them right now and
    it takes a little bit to load but seems to be doing okay. It uses a
    bit of memory but it's nothing bad.

    The other day the ruleset grew to 12,000 lines and it started loading
    VERY slowly. iptables seems to not like it when you go over 5000 lines
    or more. :) I decided to break the spam table out into supernets
    (1.x.x.x, 2.x.x.x, etc) and load rules based on the first digits, but
    that just increased my rule count and didn't really do anything
    useful. One side-effect of all of this is my memory usage went through
    the roof. Something like 300 megs or whatever unaccounted for in top
    (I just assume in the kernel).


    Is there a better way to accomplish what I want? We really do get hit
    with a lot of traffic from these bozos and aren't too concerned about
    false positives. I just want to decrease traffic and noise on my
    boxes.


    We're not routing, just bridging so I can't load up BGP and null-route
    them all.

    If anyone has any ideas, please let me know.. Thanks
     
    Jeff, May 5, 2004
    #1
    1. Advertisements

  2. Jeff

    Jan Geertsma Guest

    Is it just me? I like my life to be simple, if I have a problem I solve
    it in a simple way. Simple means that I try to understand how the system
    works and than use the system to my advantage.

    Having more than 50 lines of firewall rules seem to me a flawed design.
    You want to drop most of the traffic, and permit certain things. You
    want to filter email-spam and you want the optiplex as an firewall, and
    also to a router to the internet.

    then you want to:
    allow outgoing port 80
    allow outgoing port 53
    allow incoming port 25
    run an mta (mailserver or mailproxy) with spamfilter
    and accepting only for your own domain.

    dropping mailspammers by using a software router will never work
    optimally, the performance of the entire system will be greatly effected
    .. It's simply not worth it.

    regards
     
    Jan Geertsma, May 5, 2004
    #2
    1. Advertisements

  3. Jeff

    Brian Guest

    On Wed, 05 May 2004 08:03:18 -0700, Jeff wrote:

    [snips]
    spamassassin is your friend
    http://spamassassin.rediris.es/index.html


    B.
     
    Brian, May 5, 2004
    #3
  4. Jeff

    Jeff Guest


    OK, let me clarify a bit.

    On my internal hosts, we also filter through 20-something DNSBL's, we
    run Spam Assassin on our linux hosts (With Vipul's Razor), and we also
    run host-based firewalls. We use all current anti-relaying rules and
    only accept mail for our own domains.

    We're not just using the firewall to filter spam, but it curbs a LOT
    of traffic hitting the boxes.


    So that's why I'm asking about all the rules. This is a multi-tiered
    approach. We're serious about dropping spam. :)
     
    Jeff, May 6, 2004
    #4
  5. [snip]
    Load up SpamAssassin (http://spamassassin.org) and get the add-on rules
    at RulesEmporium (http://www.rulesemporium.com) then integrate it to
    your MTA. Works like a charm to me. It cut down the spam by 90+% with
    very small number of false positives. The key is to run it for a week
    and tweak some scores to match your environment; for example, if you're
    a pharmaceutical company you wouldn't want SpamAssassin to aggressively
    knocks out any mail with drugs name in it.

    Supak
     
    Supak Lailert, May 6, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.