github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Instead of allow-iptables-multiport actions swap blocktype and (new) returntype

pull/1112/head
Viktor Szépe 2015-07-11 18:20:09 +02:00
parent 5d60700c0c
commit 5b7e1de2f4
8 changed files with 22 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
config/action.d/allow-iptables-multiport.conf
View File

@ -1,59 +0,0 @@
# Fail2Ban configuration file for allowing hosts
#
# WARNING
# Please be aware that all users behind NAT will access the service on the specified port.
# You should protect this service with another jail that has very long bantime.
[INCLUDES]
before = iptables-common.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j <blocktype>
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
iptables -F f2b-<name>
iptables -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I f2b-<name> 1 -s <ip> -j <allowtype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D f2b-<name> -s <ip> -j <allowtype>
[Init]
# Option: allowtype
# Notes: ACCEPT skips other chains
# Value: [ RETURN | ACCEPT ]
#
allowtype = RETURN
# Author: Viktor Szépe

2
config/action.d/iptables-allports.conf
View File

@ -18,7 +18,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> -p <protocol> -j f2b-<name> iptables -I <chain> -p <protocol> -j f2b-<name>
# Option: actionstop # Option: actionstop

6
config/action.d/iptables-common.conf
View File

@ -43,3 +43,9 @@ protocol = tcp
# REJECT, REJECT --reject-with icmp-port-unreachable # REJECT, REJECT --reject-with icmp-port-unreachable
# Values: STRING # Values: STRING
blocktype = REJECT --reject-with icmp-port-unreachable blocktype = REJECT --reject-with icmp-port-unreachable
# Option: returntype
# Note: This is the default rule on "actionstart". This should be RETURN
# in all (blocking) actions, except REJECT in allowing actions.
# Values: STRING
returntype = RETURN

2
config/action.d/iptables-multiport-log.conf
View File

@ -20,7 +20,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name> iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
iptables -N f2b-<name>-log iptables -N f2b-<name>-log
iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2

2
config/action.d/iptables-multiport.conf
View File

@ -15,7 +15,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name> iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
# Option: actionstop # Option: actionstop

2
config/action.d/iptables-new.conf
View File

@ -17,7 +17,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name> iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
# Option: actionstop # Option: actionstop

2
config/action.d/iptables.conf
View File

@ -15,7 +15,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name> iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name>
# Option: actionstop # Option: actionstop

20
config/jail.conf
View File

@ -770,13 +770,15 @@ maxretry = 1
[pass2allow] [pass2allow]
# allow FTP traffic after successful HTTP auth # allow FTP traffic after successful HTTP auth
enabled = false enabled = false
filter = apache-pass filter = apache-pass
banaction = allow-iptables-multiport banaction = iptables-multiport
blocktype = RETURN
returntype = DROP
# access log of the website with HTTP auth # access log of the website with HTTP auth
logpath = /var/log/apache2/access.log logpath = /var/log/apache2/access.log
port = ftp,ftp-data,ftps,ftps-data port = ftp,ftp-data,ftps,ftps-data
protocol = tcp protocol = tcp
bantime = 3600 bantime = 3600
maxretry = 1 maxretry = 1
findtime = 1 findtime = 1