From 139151ec8178dbbefcbaf42ea8694b50c10573d5 Mon Sep 17 00:00:00 2001
From: Arnaud <avcbvamorec@users.noreply.github.com>
Date: Fri, 27 Dec 2024 11:34:59 +0100
Subject: [PATCH] Update iptables.conf - allow bans to be efective on multiple
 chains at the same time

This patch allows the ban to be applied on the INPUT and the FORWARD chain at the time. May be useful at least on routing devices and on docker hosting machines.
---
 config/action.d/iptables.conf | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf
index c8314b9d..462e3ce4 100644
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@@ -65,22 +65,30 @@ rule-jump = -j <_ipt_rule_target>
 # Several capabilities used internally:
 
 _ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
+_ipt_for_chain-iter = for chain in $(echo '<chains>' | sed 's/,/ /g'); do
+_ipt_for_chain-done = done;
 _ipt_for_proto-done = done
 
 _ipt_add_rules = <_ipt_for_proto-iter>
-              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
+              <_ipt_for_chain-iter>
+              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I $chain %(_ipt_chain_rule)s; }
+              <_ipt_for_chain-done>
               <_ipt_for_proto-done>
 
 _ipt_del_rules = <_ipt_for_proto-iter>
-              <iptables> -D <chain> %(_ipt_chain_rule)s
+              <_ipt_for_chain-iter>
+              <iptables> -D $chain %(_ipt_chain_rule)s
+              <_ipt_for_chain-done>
               <_ipt_for_proto-done>
 
 _ipt_check_rules = <_ipt_for_proto-iter>
+              <_ipt_for_chain-iter>
               %(_ipt_check_rule)s
+              <_ipt_for_chain-done>
               <_ipt_for_proto-done>
 
 _ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
-_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
+_ipt_check_rule = <iptables> -C $chain %(_ipt_chain_rule)s
 _ipt_rule_target = f2b-<name>
 
 [ipt_oneport]
@@ -98,11 +106,12 @@ _chain_rule = -p $proto <rule-jump>
 
 [Init]
 
-# Option:  chain
-# Notes    specifies the iptables chain to which the Fail2Ban rules should be
-#          added
+# Option:  chains
+# Notes    specifies the iptables chains to which the Fail2Ban rules should be
+#          added. May be a sigle chain (eg. INPUT) or a comma separated list
+#          (eg. INPUT, FORWARD)
 # Values:  STRING  Default: INPUT
-chain = INPUT
+chains = INPUT
 
 # Default name of the chain
 #