I made a very simple bash script (echo at start, runs commands, echos at end) to add approx 7300 rules to iptables blocking much of China and Russia, however it gets through adding approximately 400 rules before giving the following error for every subsequent attempt to add a rule to that chain:
iptables: Unknown error 18446744073709551615
I even tried manually adding rules afterwards and it won't let me add them (it gives the same error).
The command to add each rule looks like this:
/sbin/iptables -A sshguard -s x.x.x.0/x -j DROP
sshguard
is a chain I created for use with the sshguard daemon, and I wanted to add the rules there so I wasn't muddying up the INPUT
chain. The ip ranges I am supplying are not to blame here, as I have supplied valid ranges to test and they are met with the same error. Flushing the chain of rules and adding individual ones work, but again, not after ~400 entries.
I did some googling beforehand, but the others having this issue don't seem to be having it for the same reasons I am.
Is there some kind of rule limit per chain with iptables? Also, is this the proper way to go about blocking these ranges (errors aside)?
# iptables -V
iptables v1.3.5
# cat /etc/issue
CentOS release 5.8 (Final)
# uname -a
Linux domain.com 2.6.18-028stab101.1 #1 SMP Sun Jun 24 19:50:48 MSD 2012 x86_64 x86_64 x86_64 GNU/Linux
Edit: To clarify, the bash script is running each iptables command individually, not looping through a file or list of IPs.
Also, my purpose for blocking these ranges is preventative — I am trying to limit the amount of bots that scrape, crawl, or attempt to create spam accounts on a few of my websites. I am already using sshguard to block brute force attempts on my server, but that does not help with the other bots, obviously.
Best Answer
OK, I figured it out.
I should have mentioned that I had a Virtuozzo container for my VPS. http://kb.parallels.com/en/746 mentions the following:
FYI: The container has to be restarted for this to take effect.
This explains why I hit the limit at around 400. If I had CentOS 6, I would install the
ipset
module (EPEL) foriptables
instead of adding all these rules (becauseipset
is fast).As it stands now, on CentOS 5.9, I'd have to compile
iptables
>1.4.4
and my kernel to getipset
. Since this is a VPS and my host may eventually upgrade to CentOS 6, I am not going to pursue that.