iptables, blocking large numbers of IP Addresses
iptables
is the userland tool for manipulating netfilter. netfilter is the code in the kernel that handles the packet filtering. Contextually, changing the userland tool would only change your experience not the way the filtering operates.
I have never hit a limitation in Linux with the quantity of rules specified and I've been using Linux for firewalling since the userland tool was ipfwadm
. It's notable that Netfilter wasn't introduced to Linux until the 2.4.x kernel and ipfwadm
was the interface for ipfw not netfilter. OpenBSD is great for a firewall if you can continue using it in your environment.
The limitation will likely be a physical limitation based on the system resources, with a focus on the quantity of RAM available. If you encounter issues, you may have to tune Linux's max ip connection settings in the kernel. You're unlikely to encounter either of these situations on modern hardware with a modern Linux distribution.
If you would like to discuss the finer details of netfilter, you might be better off furthering this dialog on the netfilter mailing lists, as they will be the subject matter experts.
If this does not answer your question, please feel free to clarify and I will be happy to revise it.
Netfilter user hits memory limitation testing netfilter limits
The best way to block large amount of IP addresses without causing to much stress on the kernel is to null route them with command:
root@machine# ip route add blackhole 192.168.1.1/32
iptables is not suited well for many rules.
http://en.wikipedia.org/wiki/Null_route