Will blocking all connections outside of the US, aside from port 80 cause a high server load?

Big Iron asked:

Like most servers (I assume), we have people trying to brute force our services 24/7. I have cpHulk blacklist their IP’s, but it seems like it’d be better if they didn’t get that far in the first place. Myself and my host are the only ones who connect to the server on ports other than 80, so I’d like to block connections from all countries outside the US, except for port 80. I contacted my host to set this up, but they were hesitant because they said it would create an exceptionally high server load. It’s a dedicated Xeon 1230 server with 32GB RAM running CentOS 6.6 and iptables.

First, any reason not to do this? Second, is what my host told me correct? Third, is there any way to accomplish this without a high performance impact?

My answer:

In order to do this, you would have to add tens of thousands of firewall rules, one for each netblock, where a country may have anywhere from one to several thousand netblocks associated with it.

When a request comes in, it would have to be checked against every single rule, which takes very little time for a few dozen or maybe even a few hundred rules, but with as many rules as you would need to use, (1) every request will be slowed down significantly and (2) it will use a lot of CPU.

The way to do this without a significant performance impact is by doing what you’re already doing: blocking only those specific addresses which are being problematic.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.