introduce action*6 statements for iptables config files

2016-03-12 15:33:36 +01:00 · 2016-03-12 15:33:36 +01:00 · 13ae078797
parent 5e9fd58c45
commit 13ae078797
9 changed files with 112 additions and 0 deletions
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@ -3,6 +3,8 @@
 # Author: Cyril Jaquier
 # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
 # 			made active on all ports from original iptables.conf
+# Modified: Alexander Koeppe <format_c@online.de>
+#        make config file IPv6 capable
 #
 #

@ -21,6 +23,10 @@ actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -j f2b-<name>

+actionstart6 = <ip6tables> -N f2b-<name>6
+               <ip6tables> -A f2b-<name>6 -j <returntype>
+               <ip6tables> -I <chain> -p <protocol> -j f2b-<name>6
+
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
@ -29,11 +35,16 @@ actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>

+actionstop6 = <ip6tables> -D <chain> -p <protocol> -j f2b-<name>6
+              <ip6tables> -F f2b-<name>6
+              <ip6tables> -X f2b-<name>6
+
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck6 = <ip6tables> -n -L <chain> | grep -q 'f2b-<name>6[ \t]'

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -42,6 +53,7 @@ actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Values:  CMD
 #
 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
+actionban6 = <ip6tables> -I f2b-<name>6 1 -s <ip> -j <blocktype6>

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -50,6 +62,8 @@ actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Values:  CMD
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
+actionunban6 = <ip6tables> -D f2b-<name>6 -s <ip> -j <blocktype6>
+

 [Init]

--- a/config/action.d/iptables-common.conf
+++ b/config/action.d/iptables-common.conf
@ -6,6 +6,9 @@
 # used in all iptables based actions by default.
 #
 # The user can override the defaults in iptables-common.local
+#
+# Modified: Alexander Koeppe <format_c@online.de>
+#       made config file IPv6 capable

 [INCLUDES]

@ -43,6 +46,7 @@ protocol = tcp
 #          REJECT, REJECT --reject-with icmp-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp-port-unreachable
+blocktype6 = REJECT --reject-with icmp6-port-unreachable

 # Option:  returntype
 # Note:    This is the default rule on "actionstart". This should be RETURN
@ -62,3 +66,8 @@ lockingopt = -w
 # Notes.:  Actual command to be executed, including common to all calls options
 # Values:  STRING
 iptables = iptables <lockingopt>
+
+# Option:  ip6tables
+# Notes.:  Actual command to be executed, including common to all calls options
+# Values:  STRING
+ip6tables = ip6tables <lockingopt>
--- a/config/action.d/iptables-ipset-proto6-allports.conf
+++ b/config/action.d/iptables-ipset-proto6-allports.conf
@ -12,6 +12,9 @@
 #
 # If you are running on an older kernel you make need to patch in external
 # modules which probably won't be protocol version 6.
+#
+# Modified: Alexander Koeppe <format_c@online.de>
+#       made config file IPv6 capable

 [INCLUDES]

@ -26,6 +29,9 @@ before = iptables-common.conf
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
              <iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype>

+actionstart6 = ipset create f2b-<name>6 hash:ip timeout <bantime> family inet6
+               <ip6tables> -I <chain> -m set --match-set f2b-<name>6 src -j <blocktype6>
+
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
@ -34,6 +40,10 @@ actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blockty
             ipset flush f2b-<name>
             ipset destroy f2b-<name>

+actionstop6 = <ip6tables> -D <chain> -m set --match-set f2b-<name>6 src -j <blocktype6>
+              ipset flush f2b-<name>6
+              ipset destroy f2b-<name>6
+
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
@ -41,6 +51,7 @@ actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blockty
 # Values:  CMD
 #
 actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
+actionban6 = ipset add f2b-<name>6 <ip> timeout <bantime> -exist

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -49,6 +60,7 @@ actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
 # Values:  CMD
 #
 actionunban = ipset del f2b-<name> <ip> -exist
+actionunban6 = ipset del f2b-<name>6 <ip> -exist

 [Init]

--- a/config/action.d/iptables-ipset-proto6.conf
+++ b/config/action.d/iptables-ipset-proto6.conf
@ -12,6 +12,9 @@
 #
 # If you are running on an older kernel you make need to patch in external
 # modules.
+#
+# Modified: Alexander Koeppe <format_c@online.de>
+#       made config file IPv6 capable

 [INCLUDES]

@ -26,6 +29,9 @@ before = iptables-common.conf
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>

+actionstart6 = ipset create f2b-<name>6 hash:ip timeout <bantime> family inet6
+               <ip6tables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name>6 src -j <blocktype6>
+
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
@ -34,6 +40,10 @@ actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m
             ipset flush f2b-<name>
             ipset destroy f2b-<name>

+actionstop6 = <ip6tables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name>6 src -j <blocktype6>
+              ipset flush f2b-<name>6
+              ipset destroy f2b-<name>6
+
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
@ -41,6 +51,7 @@ actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m
 # Values:  CMD
 #
 actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
+actionban6 = ipset add f2b-<name>6 <ip> timeout <bantime> -exist

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -49,6 +60,7 @@ actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
 # Values:  CMD
 #
 actionunban = ipset del f2b-<name> <ip> -exist
+actionunban6 = ipset del f2b-<name>6 <ip> -exist

 [Init]

--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@ -7,6 +7,8 @@
 # make "f2b-<name>-log" chain to log and drop
 # insert a jump to f2b-<name> from -I <chain> if proto/port match
 #
+# Modified: Alexander Koeppe <format_c@online.de>
+#       made config file IPv6 capable
 #

 [INCLUDES]
@ -26,6 +28,13 @@ actionstart = <iptables> -N f2b-<name>
              <iptables> -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
              <iptables> -A f2b-<name>-log -j <blocktype>

+actionstart6 = <ip6tables> -N f2b-<name>6
+               <ip6tables> -A f2b-<name>6 -j <returntype>
+               <ip6tables> -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>6
+               <ip6tables> -N f2b-<name>6-log
+               <ip6tables> -I f2b-<name>6-log -j LOG --log-prefix "$(expr f2b-<name>6 : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+               <ip6tables> -A f2b-<name>6-log -j <blocktype6>
+
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
@ -36,11 +45,18 @@ actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j
             <iptables> -X f2b-<name>
             <iptables> -X f2b-<name>-log

+actionstop6 = <ip6tables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>6
+              <ip6tables> -F f2b-<name>6
+              <ip6tables> -F f2b-<name>6-log
+              <ip6tables> -X f2b-<name>6
+              <ip6tables> -X f2b-<name>6-log
+
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = <iptables> -n -L f2b-<name>-log >/dev/null
+actioncheck6 = <ip6tables> -n -L f2b-<name>6-log >/dev/null

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -49,6 +65,7 @@ actioncheck = <iptables> -n -L f2b-<name>-log >/dev/null
 # Values:  CMD
 #
 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
+actionban6 = <ip6tables> -I f2b-<name>6 1 -s <ip> -j f2b-<name>6-log

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -57,6 +74,7 @@ actionban = <iptables> -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
 # Values:  CMD
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j f2b-<name>-log
+actionunban6 = <ip6tables> -D f2b-<name>6 -s <ip> -j f2b-<name>6-log

 [Init]

--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@ -2,6 +2,8 @@
 #
 # Author: Cyril Jaquier
 # Modified by Yaroslav Halchenko for multiport banning
+# Modified: Alexander Koeppe <format_c@online.de>
+#       made config file IPv6 capable
 #

 [INCLUDES]
@ -18,6 +20,10 @@ actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

+actionstart6 = <ip6tables> -N f2b-<name>6
+               <ip6tables> -A f2b-<name>6 -j <returntype>
+               <ip6tables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>6
+
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
@ -26,11 +32,16 @@ actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>

+actionstop6 = <ip6tables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>6
+              <ip6tables> -F f2b-<name>6
+              <ip6tables> -X f2b-<name>6
+
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck6 = <ip6tables> -n -L <chain> | grep -q 'f2b-<name>6[ \t]'

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -39,6 +50,7 @@ actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Values:  CMD
 #
 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
+actionban6 = <ip6tables> -I f2b-<name>6 1 -s <ip> -j <blocktype6>

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -47,6 +59,7 @@ actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Values:  CMD
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
+actionunban6 = <ip6tables> -D f2b-<name>6 -s <ip> -j <blocktype6>

 [Init]

--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@ -4,6 +4,8 @@
 # Copied from iptables.conf and modified by Yaroslav Halchenko 
 #  to fulfill the needs of bugreporter dbts#350746.
 #
+# Modified: Alexander Koeppe <format_c@online.de>
+#       made config file IPv6 capable
 #

 [INCLUDES]
@ -20,6 +22,10 @@ actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>

+actionstart6 = <ip6tables> -N f2b-<name>6
+               <ip6tables> -A f2b-<name>6 -j <returntype>
+               <ip6tables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>6
+
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
@ -28,11 +34,16 @@ actionstop = <iptables> -D <chain> -m state --state NEW -p <protocol> --dport <p
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>

+actionstop6 = <ip6tables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>6
+              <ip6tables> -F f2b-<name>6
+              <ip6tables> -X f2b-<name>6
+
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck6 = <ip6tables> -n -L <chain> | grep -q 'f2b-<name>6[ \t]'

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -41,6 +52,7 @@ actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Values:  CMD
 #
 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
+actionban6 = <ip6tables> -I f2b-<name>6 1 -s <ip> -j <blocktype6>

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -49,6 +61,7 @@ actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Values:  CMD
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
+actionunban6 = <ip6tables> -D f2b-<name>6 -s <ip> -j <blocktype6>

 [Init]

--- a/config/action.d/iptables-xt_recent-echo.conf
+++ b/config/action.d/iptables-xt_recent-echo.conf
@ -2,6 +2,8 @@
 #
 # Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
 #
+# Modified: Alexander Koeppe <format_c@online.de>
+#       made config file IPv6 capable
 #

 [INCLUDES]
@ -33,6 +35,7 @@ before = iptables-common.conf
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
 actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
+actionstart6 = if [ `id -u` -eq 0 ];then <ip6tables> -I <chain> -m recent --update --seconds 3600 --name f2b-<name>6 -j <blocktype6>;fi

 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -40,12 +43,15 @@ actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update
 #
 actionstop = echo / > /proc/net/xt_recent/f2b-<name>
             if [ `id -u` -eq 0 ];then <iptables> -D <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
+actionstop6 = echo / > /proc/net/xt_recent/f2b-<name>6
+             if [ `id -u` -eq 0 ];then <ip6tables> -D <chain> -m recent --update --seconds 3600 --name f2b-<name>6 -j <blocktype6>;fi

 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = test -e /proc/net/xt_recent/f2b-<name>
+actioncheck6 = test -e /proc/net/xt_recent/f2b-<name>6

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -54,6 +60,7 @@ actioncheck = test -e /proc/net/xt_recent/f2b-<name>
 # Values:  CMD
 #
 actionban = echo +<ip> > /proc/net/xt_recent/f2b-<name>
+actionban6 = echo +<ip> > /proc/net/xt_recent/f2b-<name>6

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -62,6 +69,7 @@ actionban = echo +<ip> > /proc/net/xt_recent/f2b-<name>
 # Values:  CMD
 #
 actionunban = echo -<ip> > /proc/net/xt_recent/f2b-<name>
+actionunban6 = echo -<ip> > /proc/net/xt_recent/f2b-<name>6

 [Init]

--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@ -2,6 +2,8 @@
 #
 # Author: Cyril Jaquier
 #
+# Modified: Alexander Koeppe <format_c@online.de>
+#       made config file IPv6 capable
 #

 [INCLUDES]
@ -18,6 +20,10 @@ actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>

+actionstart6 = <ip6tables> -N f2b-<name>6
+               <ip6tables> -A f2b-<name>6 -j <returntype>
+               <ip6tables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>6
+
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
@ -26,11 +32,16 @@ actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>

+actionstop6 = <ip6tables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>6
+              <ip6tables> -F f2b-<name>6
+              <ip6tables> -X f2b-<name>6
+
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck6 = <ip6tables> -n -L <chain> | grep -q 'f2b-<name>6[ \t]'

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -39,6 +50,7 @@ actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Values:  CMD
 #
 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
+actionban6 = <ip6tables> -I f2b-<name>6 1 -s <ip> -j <blocktype6>

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -47,6 +59,7 @@ actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Values:  CMD
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
+actionunban6 = <ip6tables> -D f2b-<name>6 -s <ip> -j <blocktype6>

 [Init]