[ale] iptables limits?

Bob Toxen bob at verysecurelinux.com
Fri Jun 3 11:31:52 EDT 2005


On Thu, Jun 02, 2005 at 05:04:40PM -0400, Jim Popovitch wrote:
> Are there any known limits to the number of rules in iptables?  I
> currently have about 27000+ rules, with no noticeable issues.  What's
> the upper limit, if there is any, and what are the limiting factors?
It would be trivial to write a shell script to test if there is a
limit at 32K or 64K to test for possible 16-bit signed or unsigned
limits.  Beyond that, speed and memory are the likely limits.

Over T1 speeds that number of rules on a 1GHz+ processor should be ok.
You won't be able to saturate a 100MHz Ethernet by any means.  If you
push lots of data between an internal network and a DMZ, you'll want to
put the rules that allow that traffic near the top of the chains, as
I do for clients.

I do suspect, though, that you could optimize your rule set to be
smaller.

> Thx,

> -Jim P.

Best regards,

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.
d/b/a Horizon Network Security
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"

http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
http://www.verysecurelinux.com/sunset.html                    [Sunset Computer]
bob at verysecurelinux.com (e-mail)



More information about the Ale mailing list