I've migrated my processes from a FreeBSD/PF configuration to a CentOS 5.3 system (forgive my newbie status on IPTables). In FreeBSD/PF I can write a one-liner that will block a table of IPs completely, and it doesn't hit the rdr (redirect) chain. In Iptables, I have (for example): iptables -N abuse iptables -I abuse -s x.x.x.x -j DROP there are a couple thousand IP or / network in that list. It takes forever to load. One obvious mistake I found on my own (duh) is that it needs another rule to place it in the INPUT table or something; but in my case, when I do this, it appends to the INPUT table, and isn't being consulted -- so clearly I've done something incorrectly. But what I'm noticing is that despite this, the IPs are getting through -- I do a "tail -f maillog" and I see them hitting my system. Further, some of the ports are in the FORWARD chain that go to an internal DMZ system (ie: mail, imap). As I get a little lost in what I'm reading (grin), what I think needs to happen is all these numbers must be inserted in the INPUT chain, I'm not sure if that will be good enough, or if I also have to block at the FORWARD (would be redundant). To get myself up and running quickly, with some sensible rules, I downloaded and used the "ipkungfu" script - easy enough to use. I have 2 other tables that I use, the one above is a list of IP/networks I never want to have access to my system; another list, is only to block SMTP, another is a GEOIP table of networks I never want touching my system. The address/rules are loaded in a simple for-next loop from BASH. It takes forever, thus I'm wondering if there is a more efficient way to load these. It also occurs to me that these should be loaded first; or at least after any other security-related rules. I wonder if someone could clarify how to do what I need correctly, perhaps more efficiently. Thank you!
