Adamm
Part of the Furniture
Since new flavours of those block scripts seem to be trendy lately...
Any of you considered implementing it at the RPDB level? Might possibly be more efficient than iptables...
Code:/ # ip route add prohibit 4.2.2.2 / # ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2): 56 data bytes ping: sendto: Network is unreachable
(runs away to hide)
From what I've read IPSet is more suited for these types of Blacklists;
Null routing, just like iptables drop rules, denies any remote system to establish (SYN) a connection. The difference is that with null routing traffic is still(!) received: your system just can't send anything (SYN,ACK) back, while iptables is more fine grained and explicitly drops that traffic.
Although for performance gains I have been testing using the "raw" table, that way the packets are handled sooner, without the need to go though conntrack+mangle+nat+routing.