Reducing the number of iptables rules

Post Reply
owkaye
Junior Member
Posts: 1
Joined: 18 Mar 2015, 10:28

Reducing the number of iptables rules

Post by owkaye »

Lately I have been getting this error every day when my server reboots in the morning:
Error: The VPS iptables rule limit (numiptent) is too low (512/512) - stopping firewall to prevent iptables blocking all connections, at line 583 in /usr/sbin/csf
Most online references suggest that the solution to this problem is to get my VPS host to increase the numiptent value, which they will not do. Instead of switching to a new host that will increase my numiptent value, is it possible to reduce my iptables rules -- for example by combining several rules into one -- so that my rules are less which might stop this error from occuring?

Does csf generate iptables rules every time the server is rebooted? If so, how can I modify the script that generates these rules so that fewer rules are created?
Texas Trophy
Junior Member
Posts: 5
Joined: 17 Mar 2015, 11:00

Re: Reducing the number of iptables rules

Post by Texas Trophy »

Since a majority of questions go unanswered around here, I am going to help where possible. I am new to CSF but I was encountering the same issue.

Apparently you have raised the DENY_IP_LIMIT.? That is what I did to encounter the error. So I set the limit back to original (200 in my case) and what I did instead was I created a link to my own deny IP list in the "lfd Blocklists" and it seems to be working fine as far as I can tell.

Code: Select all

# My Block List
MYBLOCKLIST|86400|0|http://www.domain.com/deny.txt
I think there is also another alternative that I did not notice until I did the above but it looks like you can basically do the same with LF_GLOBAL and GLOBAL_DENY in the firewall configuration?
Texas Trophy
Junior Member
Posts: 5
Joined: 17 Mar 2015, 11:00

Re: Reducing the number of iptables rules

Post by Texas Trophy »

Well scratch all of the above. I restarted the firewall once again and then got the error.
tommyk
Junior Member
Posts: 8
Joined: 21 Oct 2010, 23:54

Re: Reducing the number of iptables rules

Post by tommyk »

I would recommend you to use the ipset option. Iptables can't really handle a huge amount of rules, while ipset is easily able to block tens of thousands of IPs without any significant performance reduction.
Post Reply