github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

ENH: Add <chain> to iptables-ipsets.

pull/739/head
SATO Kentaro 2014-06-16 21:15:03 +09:00
parent dd75d35420
commit 1e1c4ac62a
5 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -38,6 +38,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
* Fail2ban-regex - add print-all-matched option. Closes gh-652 * Fail2ban-regex - add print-all-matched option. Closes gh-652
* Suppress fail2ban-client warnings for non-critical config options * Suppress fail2ban-client warnings for non-critical config options
* Match non "Bye Bye" disconnect messages for sshd locked account regex * Match non "Bye Bye" disconnect messages for sshd locked account regex
* Add <chain> tag to iptables-ipsets.
ver. 0.9.0 (2014/03/14) - beta ver. 0.9.0 (2014/03/14) - beta
---------- ----------

1
THANKS
View File

@ -85,6 +85,7 @@ Robert Edeker
Rolf Fokkens Rolf Fokkens
Roman Gelfand Roman Gelfand
Russell Odom Russell Odom
SATO Kentaro
Sebastian Arcus Sebastian Arcus
Sireyessire Sireyessire
silviogarbes silviogarbes

10
config/action.d/iptables-ipset-proto4.conf
View File

@ -28,13 +28,13 @@ before = iptables-blocktype.conf
# Values: CMD # Values: CMD
# #
actionstart = ipset --create f2b-<name> iphash actionstart = ipset --create f2b-<name> iphash
iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
# Option: actionstop # Option: actionstop
# Notes.: command executed once at the end of Fail2Ban # Notes.: command executed once at the end of Fail2Ban
# Values: CMD # Values: CMD
# #
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
ipset --flush f2b-<name> ipset --flush f2b-<name>
ipset --destroy f2b-<name> ipset --destroy f2b-<name>
@ -60,6 +60,12 @@ actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
# #
name = default name = default
# Option: chain
# Notes specifies the iptables chain to which the Fail2Ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
# Option: port # Option: port
# Notes.: specifies port to monitor # Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default: ssh # Values: [ NUM | STRING ] Default: ssh

10
config/action.d/iptables-ipset-proto6-allports.conf
View File

@ -25,13 +25,13 @@ before = iptables-blocktype.conf
# Values: CMD # Values: CMD
# #
actionstart = ipset create f2b-<name> hash:ip timeout <bantime> actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
iptables -I INPUT -m set --match-set f2b-<name> src -j <blocktype> iptables -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
# Option: actionstop # Option: actionstop
# Notes.: command executed once at the end of Fail2Ban # Notes.: command executed once at the end of Fail2Ban
# Values: CMD # Values: CMD
# #
actionstop = iptables -D INPUT -m set --match-set f2b-<name> src -j <blocktype> actionstop = iptables -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
ipset flush f2b-<name> ipset flush f2b-<name>
ipset destroy f2b-<name> ipset destroy f2b-<name>
@ -57,6 +57,12 @@ actionunban = ipset del f2b-<name> <ip> -exist
# #
name = default name = default
# Option: chain
# Notes specifies the iptables chain to which the Fail2Ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
# Option: bantime # Option: bantime
# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
# Values: [ NUM ] Default: 600 # Values: [ NUM ] Default: 600

10
config/action.d/iptables-ipset-proto6.conf
View File

@ -25,13 +25,13 @@ before = iptables-blocktype.conf
# Values: CMD # Values: CMD
# #
actionstart = ipset create f2b-<name> hash:ip timeout <bantime> actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
# Option: actionstop # Option: actionstop
# Notes.: command executed once at the end of Fail2Ban # Notes.: command executed once at the end of Fail2Ban
# Values: CMD # Values: CMD
# #
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
ipset flush f2b-<name> ipset flush f2b-<name>
ipset destroy f2b-<name> ipset destroy f2b-<name>
@ -57,6 +57,12 @@ actionunban = ipset del f2b-<name> <ip> -exist
# #
name = default name = default
# Option: chain
# Notes specifies the iptables chain to which the Fail2Ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
# Option: port # Option: port
# Notes.: specifies port to monitor # Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default: ssh # Values: [ NUM | STRING ] Default: ssh