0
zemaitis
73d

Question about linux iptables. I am currently blocking all access and whitelisting only when my users launch my software. When software is launched a socket client is also launched, it connects to socket server, identifies itself with a password and disconnects. If given password by socket client is correct, then socket server whitelists the users IP by executing the following command: " iptables -I INPUT -s userIP -j ACCEPT".

My problem is that now I have lots of duplicates of IP's whitelisted and as far as I've heard I should not go over 25k iptable rules.

So my question is how to check if ip is already whitelisted, in order to avoid duplicate iptable rules for for same IP?

Obvious solution would be to store whitelist somewhere (mysql/txt) and double check before whitelisting ip, but maybe there is an easier way to do this?

Comments
  • 2
    iptables -S

    and look for the command you are to add if it's not yet there? Imo it's the simplest way. You have all the -A commands as a set of templates anyway..

    Or just iptables -D before you do iptables -A ?
  • 0
    Redis, might be faster than a database, but a hashset might work as well, but isn't persistent.
  • 0
    I would not be persisting those rules. Neither in db nor a file or memory. It's very easy to get out of sync and have a split brain situation.

    I'd be checking on the machine before each addition.

    Otherwise you think the server knows, when in fact the server only thinks it knows. Too unreliable
  • 0
    @sbiewald IPSet, in memory database for iptables!
Add Comment