Can't add large number of rules to iptables

I made a very simple bash script (echo at start, runs commands, echos at end) to add approx 7300 rules to iptables blocking much of China and Russia, however it gets through adding approximately 400 rules before giving the following error for every subsequent attempt to add a rule to that chain:

iptables: Unknown error 18446744073709551615

I even tried manually adding rules afterwards and it won’t let me add them (it gives the same error).

The command to add each rule looks like this:

/sbin/iptables -A sshguard -s x.x.x.0/x -j DROP

sshguard is a chain I created for use with the sshguard daemon, and I wanted to add the rules there so I wasn’t muddying up the INPUT chain. The ip ranges I am supplying are not to blame here, as I have supplied valid ranges to test and they are met with the same error. Flushing the chain of rules and adding individual ones work, but again, not after ~400 entries.

I did some googling beforehand, but the others having this issue don’t seem to be having it for the same reasons I am.

Is there some kind of rule limit per chain with iptables? Also, is this the proper way to go about blocking these ranges (errors aside)?

# iptables -V
iptables v1.3.5

# cat /etc/issue
CentOS release 5.8 (Final)

# uname -a 
Linux 2.6.18-028stab101.1 #1 SMP Sun Jun 24 19:50:48 MSD 2012 x86_64 x86_64 x86_64 GNU/Linux

Edit: To clarify, the bash script is running each iptables command individually, not looping through a file or list of IPs.

Also, my purpose for blocking these ranges is preventative — I am trying to limit the amount of bots that scrape, crawl, or attempt to create spam accounts on a few of my websites. I am already using sshguard to block brute force attempts on my server, but that does not help with the other bots, obviously.

Asked By: Brendan


It’s not hard to debug, but if you convert the rules to pure iptables commands, and execute them one by one (use a shell script), you’d see the errors, normally would be missing of some ipt modules.

First use iptables-save to export current rules, then do something like this to debug that line-by-line:

egrep '^(-A|-I)' ok.rules | while read x; do iptables $x || { echo failed $x; break; }; done

I googled a bit, it seems to be a bug on CentOS’s default kernel config.

Answered By: daisy

There looks to be an open bug in RHEL regarding iptables.. You might be hitting it.

In the mean time, have you looked at something like denyhosts ? It will automatically add entries to hosts.deny as you are attacked (ssh attacks)

Just a thought.

Answered By: Mark Cohen

OK, I figured it out.

I should have mentioned that I had a Virtuozzo container for my VPS. mentions the following:

Also it might be required to increase numiptent barrier value to be
able to add more iptables rules:

~# vzctl set 101 --save --numiptent 400

FYI: The container has to be restarted for this to take effect.

This explains why I hit the limit at around 400. If I had CentOS 6, I would install the ipset module (EPEL) for iptables instead of adding all these rules (because ipset is fast).

As it stands now, on CentOS 5.9, I’d have to compile iptables > 1.4.4 and my kernel to get ipset. Since this is a VPS and my host may eventually upgrade to CentOS 6, I am not going to pursue that.

Answered By: Brendan
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.