What's the effect of iptables/ufw deny filters on server load?

iptables ufw

I'm wondering how scalable it is to add IP addresses or subranges I want to block into ufw. E.g., I do this whenever I discover a particularly bad bot or server farm. As my list grows, I wonder how much overhead I'm placing on the system; because now every packet must be checked against this list.

Does anyone have experience with a block list of a certain size that began to cause system load, or network slowdowns?

Is there anything in the docs somewhere about this?

Right now I've got about 15 rules. Is there some number of rules I should stay below?


Solution 1:

It's a whole lot less load than trying to service the traffic... large chains have an impact on performance, but with a bit of judicious optimisation (splitting out traffic into different chains) you can keep it under control.

For reference, I've got a 20k rule iptables firewall that performs quite adequately under a couple of hundred Mbps of traffic... I don't think you've got much to worry about with 15 rules.

Related

KVM virtual machines cannot reach IPv6 web sites
How to access Jenkins remotely on Ubuntu 12.04 server?
My TTL changing over every packetand I don't know why
Any clear benefit in having multiple Tomcat instances behind an Apache server?
How to upgrade to latest PHP, MySQL, and phpmyadmin on CentOS 5.8 (32bit)?
Are there any issues migrating from RHEL to CentOS?
Could not resolve hostname in curl, wget, yum on Centos
Network boot from a non-default NIC on a HP ProLiant G7 server
Limit the number of max threads used by a process in linux kernel
Cannot run logwatch due to Date::Manip issue
Nginx upload PUT and POST
Why do SNMP agents need MIB files?