zemaitis

6y

Question about linux iptables. I am currently blocking all access and whitelisting only when my users launch my software. When software is launched a socket client is also launched, it connects to socket server, identifies itself with a password and disconnects. If given password by socket client is correct, then socket server whitelists the users IP by executing the following command: " iptables -I INPUT -s userIP -j ACCEPT".

My problem is that now I have lots of duplicates of IP's whitelisted and as far as I've heard I should not go over 25k iptable rules.

So my question is how to check if ip is already whitelisted, in order to avoid duplicate iptable rules for for same IP?

Obvious solution would be to store whitelist somewhere (mysql/txt) and double check before whitelisting ip, but maybe there is an easier way to do this?

rant

question

Ranter

Comments

2

netikras

34627

6y

iptables -S

and look for the command you are to add if it's not yet there? Imo it's the simplest way. You have all the -A commands as a set of templates anyway..

Or just iptables -D before you do iptables -A ?
0

sbiewald

3997

6y

Redis, might be faster than a database, but a hashset might work as well, but isn't persistent.
0

netikras

34627

6y

I would not be persisting those rules. Neither in db nor a file or memory. It's very easy to get out of sync and have a split brain situation.

I'd be checking on the machine before each addition.

Otherwise you think the server knows, when in fact the server only thinks it knows. Too unreliable
0

linuxxx

142302

6y

@sbiewald IPSet, in memory database for iptables!

Related Rants

devRant © 2021 Hexical Labs LLC
Privacy Policy | Terms of Service