diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index 15f3cbcc..a9ffa9ae 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -3,6 +3,8 @@ # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko # made active on all ports from original iptables.conf +# Modified: Alexander Koeppe +# make config file IPv6 capable # # @@ -21,6 +23,10 @@ actionstart = -N f2b- -A f2b- -j -I -p -j f2b- +actionstart6 = -N f2b-6 + -A f2b-6 -j + -I -p -j f2b-6 + # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD @@ -29,11 +35,16 @@ actionstop = -D -p -j f2b- -F f2b- -X f2b- +actionstop6 = -D -p -j f2b-6 + -F f2b-6 + -X f2b-6 + # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -n -L | grep -q 'f2b-[ \t]' +actioncheck6 = -n -L | grep -q 'f2b-6[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -42,6 +53,7 @@ actioncheck = -n -L | grep -q 'f2b-[ \t]' # Values: CMD # actionban = -I f2b- 1 -s -j +actionban6 = -I f2b-6 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -50,6 +62,8 @@ actionban = -I f2b- 1 -s -j # Values: CMD # actionunban = -D f2b- -s -j +actionunban6 = -D f2b-6 -s -j + [Init] diff --git a/config/action.d/iptables-common.conf b/config/action.d/iptables-common.conf index 45819e3d..ad8d241e 100644 --- a/config/action.d/iptables-common.conf +++ b/config/action.d/iptables-common.conf @@ -6,6 +6,9 @@ # used in all iptables based actions by default. # # The user can override the defaults in iptables-common.local +# +# Modified: Alexander Koeppe +# made config file IPv6 capable [INCLUDES] @@ -43,6 +46,7 @@ protocol = tcp # REJECT, REJECT --reject-with icmp-port-unreachable # Values: STRING blocktype = REJECT --reject-with icmp-port-unreachable +blocktype6 = REJECT --reject-with icmp6-port-unreachable # Option: returntype # Note: This is the default rule on "actionstart". This should be RETURN @@ -62,3 +66,8 @@ lockingopt = -w # Notes.: Actual command to be executed, including common to all calls options # Values: STRING iptables = iptables + +# Option: ip6tables +# Notes.: Actual command to be executed, including common to all calls options +# Values: STRING +ip6tables = ip6tables diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf index 1f1d336f..0bc2baa8 100644 --- a/config/action.d/iptables-ipset-proto6-allports.conf +++ b/config/action.d/iptables-ipset-proto6-allports.conf @@ -12,6 +12,9 @@ # # If you are running on an older kernel you make need to patch in external # modules which probably won't be protocol version 6. +# +# Modified: Alexander Koeppe +# made config file IPv6 capable [INCLUDES] @@ -26,6 +29,9 @@ before = iptables-common.conf actionstart = ipset create f2b- hash:ip timeout -I -m set --match-set f2b- src -j +actionstart6 = ipset create f2b-6 hash:ip timeout family inet6 + -I -m set --match-set f2b-6 src -j + # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD @@ -34,6 +40,10 @@ actionstop = -D -m set --match-set f2b- src -j ipset destroy f2b- +actionstop6 = -D -m set --match-set f2b-6 src -j + ipset flush f2b-6 + ipset destroy f2b-6 + # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. @@ -41,6 +51,7 @@ actionstop = -D -m set --match-set f2b- src -j timeout -exist +actionban6 = ipset add f2b-6 timeout -exist # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,6 +60,7 @@ actionban = ipset add f2b- timeout -exist # Values: CMD # actionunban = ipset del f2b- -exist +actionunban6 = ipset del f2b-6 -exist [Init] diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf index 3b51ef58..4321e1fb 100644 --- a/config/action.d/iptables-ipset-proto6.conf +++ b/config/action.d/iptables-ipset-proto6.conf @@ -12,6 +12,9 @@ # # If you are running on an older kernel you make need to patch in external # modules. +# +# Modified: Alexander Koeppe +# made config file IPv6 capable [INCLUDES] @@ -26,6 +29,9 @@ before = iptables-common.conf actionstart = ipset create f2b- hash:ip timeout -I -p -m multiport --dports -m set --match-set f2b- src -j +actionstart6 = ipset create f2b-6 hash:ip timeout family inet6 + -I -p -m multiport --dports -m set --match-set f2b-6 src -j + # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD @@ -34,6 +40,10 @@ actionstop = -D -p -m multiport --dports -m ipset flush f2b- ipset destroy f2b- +actionstop6 = -D -p -m multiport --dports -m set --match-set f2b-6 src -j + ipset flush f2b-6 + ipset destroy f2b-6 + # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. @@ -41,6 +51,7 @@ actionstop = -D -p -m multiport --dports -m # Values: CMD # actionban = ipset add f2b- timeout -exist +actionban6 = ipset add f2b-6 timeout -exist # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,6 +60,7 @@ actionban = ipset add f2b- timeout -exist # Values: CMD # actionunban = ipset del f2b- -exist +actionunban6 = ipset del f2b-6 -exist [Init] diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 1777ce62..f98c6884 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -7,6 +7,8 @@ # make "f2b--log" chain to log and drop # insert a jump to f2b- from -I if proto/port match # +# Modified: Alexander Koeppe +# made config file IPv6 capable # [INCLUDES] @@ -26,6 +28,13 @@ actionstart = -N f2b- -I f2b--log -j LOG --log-prefix "$(expr f2b- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 -A f2b--log -j +actionstart6 = -N f2b-6 + -A f2b-6 -j + -I 1 -p -m multiport --dports -j f2b-6 + -N f2b-6-log + -I f2b-6-log -j LOG --log-prefix "$(expr f2b-6 : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 + -A f2b-6-log -j + # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD @@ -36,11 +45,18 @@ actionstop = -D -p -m multiport --dports -j -X f2b- -X f2b--log +actionstop6 = -D -p -m multiport --dports -j f2b-6 + -F f2b-6 + -F f2b-6-log + -X f2b-6 + -X f2b-6-log + # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -n -L f2b--log >/dev/null +actioncheck6 = -n -L f2b-6-log >/dev/null # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -49,6 +65,7 @@ actioncheck = -n -L f2b--log >/dev/null # Values: CMD # actionban = -I f2b- 1 -s -j f2b--log +actionban6 = -I f2b-6 1 -s -j f2b-6-log # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -57,6 +74,7 @@ actionban = -I f2b- 1 -s -j f2b--log # Values: CMD # actionunban = -D f2b- -s -j f2b--log +actionunban6 = -D f2b-6 -s -j f2b-6-log [Init] diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index 9fd87d20..5a5bd746 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -2,6 +2,8 @@ # # Author: Cyril Jaquier # Modified by Yaroslav Halchenko for multiport banning +# Modified: Alexander Koeppe +# made config file IPv6 capable # [INCLUDES] @@ -18,6 +20,10 @@ actionstart = -N f2b- -A f2b- -j -I -p -m multiport --dports -j f2b- +actionstart6 = -N f2b-6 + -A f2b-6 -j + -I -p -m multiport --dports -j f2b-6 + # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD @@ -26,11 +32,16 @@ actionstop = -D -p -m multiport --dports -j -F f2b- -X f2b- +actionstop6 = -D -p -m multiport --dports -j f2b-6 + -F f2b-6 + -X f2b-6 + # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -n -L | grep -q 'f2b-[ \t]' +actioncheck6 = -n -L | grep -q 'f2b-6[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -39,6 +50,7 @@ actioncheck = -n -L | grep -q 'f2b-[ \t]' # Values: CMD # actionban = -I f2b- 1 -s -j +actionban6 = -I f2b-6 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -47,6 +59,7 @@ actionban = -I f2b- 1 -s -j # Values: CMD # actionunban = -D f2b- -s -j +actionunban6 = -D f2b-6 -s -j [Init] diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 795bc601..89e58a50 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -4,6 +4,8 @@ # Copied from iptables.conf and modified by Yaroslav Halchenko # to fulfill the needs of bugreporter dbts#350746. # +# Modified: Alexander Koeppe +# made config file IPv6 capable # [INCLUDES] @@ -20,6 +22,10 @@ actionstart = -N f2b- -A f2b- -j -I -m state --state NEW -p --dport -j f2b- +actionstart6 = -N f2b-6 + -A f2b-6 -j + -I -m state --state NEW -p --dport -j f2b-6 + # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD @@ -28,11 +34,16 @@ actionstop = -D -m state --state NEW -p --dport

-F f2b- -X f2b- +actionstop6 = -D -m state --state NEW -p --dport -j f2b-6 + -F f2b-6 + -X f2b-6 + # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -n -L | grep -q 'f2b-[ \t]' +actioncheck6 = -n -L | grep -q 'f2b-6[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -41,6 +52,7 @@ actioncheck = -n -L | grep -q 'f2b-[ \t]' # Values: CMD # actionban = -I f2b- 1 -s -j +actionban6 = -I f2b-6 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,6 +61,7 @@ actionban = -I f2b- 1 -s -j # Values: CMD # actionunban = -D f2b- -s -j +actionunban6 = -D f2b-6 -s -j [Init] diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index d3d43f86..336915cf 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -2,6 +2,8 @@ # # Author: Zbigniew Jędrzejewski-Szmek # +# Modified: Alexander Koeppe +# made config file IPv6 capable # [INCLUDES] @@ -33,6 +35,7 @@ before = iptables-common.conf # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. actionstart = if [ `id -u` -eq 0 ];then -I -m recent --update --seconds 3600 --name f2b- -j ;fi +actionstart6 = if [ `id -u` -eq 0 ];then -I -m recent --update --seconds 3600 --name f2b-6 -j ;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -40,12 +43,15 @@ actionstart = if [ `id -u` -eq 0 ];then -I -m recent --update # actionstop = echo / > /proc/net/xt_recent/f2b- if [ `id -u` -eq 0 ];then -D -m recent --update --seconds 3600 --name f2b- -j ;fi +actionstop6 = echo / > /proc/net/xt_recent/f2b-6 + if [ `id -u` -eq 0 ];then -D -m recent --update --seconds 3600 --name f2b-6 -j ;fi # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = test -e /proc/net/xt_recent/f2b- +actioncheck6 = test -e /proc/net/xt_recent/f2b-6 # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -54,6 +60,7 @@ actioncheck = test -e /proc/net/xt_recent/f2b- # Values: CMD # actionban = echo + > /proc/net/xt_recent/f2b- +actionban6 = echo + > /proc/net/xt_recent/f2b-6 # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -62,6 +69,7 @@ actionban = echo + > /proc/net/xt_recent/f2b- # Values: CMD # actionunban = echo - > /proc/net/xt_recent/f2b- +actionunban6 = echo - > /proc/net/xt_recent/f2b-6 [Init] diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 38985ffa..9ef8f1a1 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -2,6 +2,8 @@ # # Author: Cyril Jaquier # +# Modified: Alexander Koeppe +# made config file IPv6 capable # [INCLUDES] @@ -18,6 +20,10 @@ actionstart = -N f2b- -A f2b- -j -I -p --dport -j f2b- +actionstart6 = -N f2b-6 + -A f2b-6 -j + -I -p --dport -j f2b-6 + # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD @@ -26,11 +32,16 @@ actionstop = -D -p --dport -j f2b- -F f2b- -X f2b- +actionstop6 = -D -p --dport -j f2b-6 + -F f2b-6 + -X f2b-6 + # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -n -L | grep -q 'f2b-[ \t]' +actioncheck6 = -n -L | grep -q 'f2b-6[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -39,6 +50,7 @@ actioncheck = -n -L | grep -q 'f2b-[ \t]' # Values: CMD # actionban = -I f2b- 1 -s -j +actionban6 = -I f2b-6 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -47,6 +59,7 @@ actionban = -I f2b- 1 -s -j # Values: CMD # actionunban = -D f2b- -s -j +actionunban6 = -D f2b-6 -s -j [Init]