From 3831fbf98b87fed2f5882e3190e10dfa0dd0e55c Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:41 +0000 Subject: [PATCH] ENH: add to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@771 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/action.d/iptables-allports.conf | 11 ++++++++--- config/action.d/iptables-multiport-log.conf | 12 +++++++++--- config/action.d/iptables-multiport.conf | 11 ++++++++--- config/action.d/iptables-new.conf | 11 ++++++++--- config/action.d/iptables.conf | 11 ++++++++--- 5 files changed, 41 insertions(+), 15 deletions(-) diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index 123bac69..1cc2daba 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p -j fail2ban- + iptables -I -p -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -j fail2ban- +actionstop = iptables -D -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -p -j fail2ban- # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -63,3 +63,8 @@ name = default # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 3b4621db..9cdc4bab 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -5,7 +5,7 @@ # # make "fail2ban-" chain to match drop IP # make "fail2ban--log" chain to log and drop -# insert a jump to fail2ban- from -I INPUT if proto/port match +# insert a jump to fail2ban- from -I if proto/port match # # $Revision$ # @@ -18,7 +18,7 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT 1 -p -m multiport --dports -j fail2ban- + iptables -I 1 -p -m multiport --dports -j fail2ban- iptables -N fail2ban--log iptables -I fail2ban--log -j LOG --log-prefix "$(expr fail2ban- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -A fail2ban--log -j DROP @@ -27,7 +27,7 @@ actionstart = iptables -N fail2ban- # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -j fail2ban- +actionstop = iptables -D -p -m multiport --dports -j fail2ban- iptables -F fail2ban- iptables -F fail2ban--log iptables -X fail2ban- @@ -76,3 +76,9 @@ port = ssh # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index fe3712d5..ad554f5c 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p -m multiport --dports -j fail2ban- + iptables -I -p -m multiport --dports -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -j fail2ban- +actionstop = iptables -D -p -m multiport --dports -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p -m multiport --dports -j fai # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 373826c2..c249de2d 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -m state --state NEW -p --dport -j fail2ban- + iptables -I -m state --state NEW -p --dport -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m state --state NEW -p --dport -j fail2ban- +actionstop = iptables -D -m state --state NEW -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -m state --state NEW -p --dport # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -69,3 +69,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index daef9267..09cfb98b 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p --dport -j fail2ban- + iptables -I -p --dport -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p --dport -j fail2ban- +actionstop = iptables -D -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p --dport -j fail2ban- # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT