0

I have multiple user (approx 800 users), I am developing IPTABLES firewall for MAC address based filtering. My Question is HOW MANY RULES CAN I ADD IN A SINGLE CHAIN AND HOW MANY RULES CAN HANDLE IPTABLES VERSION 1.3.5 filter?

My senario is like this, Linux Centos Gateway Proxy Machine with 2 NICs (1LAN 1WAN) (Proxy handles only port 80. iptables version 1.3.5 my iptables filter rules looks like following.

INPUT (Drop) multiple rules for accepting useful ports Input from/ for Internet and from/ for LAN.

FORWARD (Drop) Multiple simple rules to FORWARD static users (user1, user2, user3) IPs on Priority from LAN to Internet. Multiple simple rules to FORWARD static users (user1, user2, user3) IPs on Priority from Internet to LAN. all other users (user4, user5, user6 .....) IPs requests for Internet go to ALLMAC chain for IP/ MAC address binding check. all other users (user4, user5, user6 .....) IPs requests reply from Internet go to ALLMAC chain for IP address check.

ALLMAC Chain source is user4 IP having following mac address ACCEPT (iptables -t filter ALLMAC -s 192.168.1.1 -m mac --mac-source 00:01:02:03:04:05:06 -j ACCEPT) destination user4 IP -j ACCEPT (iptables -t filter ALLMAC -d 192.168.1.1 -j ACCEPT)

source is user5 IP having following mac address ACCEPT (iptables -t filter ALLMAC -s 192.168.1.2 -m mac --mac-source 00:01:02:03:04:05:06 -j ACCEPT) destination user5 IP -j ACCEPT (iptables -t filter ALLMAC -d 192.168.1.2 -j ACCEPT)

source is user6 IP having following mac address ACCEPT (iptables -t filter ALLMAC -s 192.168.1.3 -m mac --mac-source 00:01:02:03:04:05:06 -j ACCEPT) destination user6 IP -j ACCEPT (iptables -t filter ALLMAC -d 192.168.1.3 -j ACCEPT)

(want to add approx 800 users just like above in ALLMAC chains) all other not listed DROP (end of ALLMAC chain)

OUTPUT (Drop) ?multiple rules for accepting useful ports Output from/ for Internet and from/ for LAN. ?

Please help me in this simple scenario. and guide me is this good approach to restrict users on their IPs and block non registered users.

Thanks in advance. Rizwan.

Improve this question
2
  • 1
    Sounds like you should be using -m set --match-set user_bindings src,src (with a bitmap:ip,mac ipset) instead...
    – grawity_u1686
    Commented Apr 15, 2016 at 5:44
  • Just for sake of answering original question - MikroTik routers base on iptables for firewall and when ISP filter out common worms/viruses etc. edge routers usually have way beyond few hundred rules. High hundreds like 600+ rules. And it performs decently on some crap like 400mhz MIPS so I guess actual limit where performance overhead is noticable would be quite high
    – Lapsio
    Commented Feb 11, 2017 at 7:53

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .