Merge pull request #739 from ranvis/enh-iptables-ipsets

ENH: Add <chain> to iptables-ipsets.
2014-06-21 22:48:49 +01:00 · 2014-06-21 22:48:49 +01:00 · 76a5633ff9
parent 94232d7c31 65ff3e9604
commit 76a5633ff9
16 changed files with 69 additions and 223 deletions
--- a/1
+++ b/1
@ -39,6 +39,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
   * Fail2ban-regex - add print-all-matched option. Closes gh-652
   * Suppress fail2ban-client warnings for non-critical config options
   * Match non "Bye Bye" disconnect messages for sshd locked account regex
   * Add <chain> tag to iptables-ipsets.
 ver. 0.9.0 (2014/03/14) - beta
 ----------
--- a/2
+++ b/2
@ -258,7 +258,7 @@ config/action.d/dummy.conf
 config/action.d/firewallcmd-new.conf
 config/action.d/firewallcmd-ipset.conf
 config/action.d/iptables-ipset-proto6-allports.conf
-config/action.d/iptables-blocktype.conf
+config/action.d/iptables-common.conf
 config/action.d/iptables-ipset-proto4.conf
 config/action.d/iptables-ipset-proto6.conf
 config/action.d/iptables-xt_recent-echo.conf
--- a/1
+++ b/1
@ -87,6 +87,7 @@ Robert Edeker
 Rolf Fokkens
 Roman Gelfand
 Russell Odom
 SATO Kentaro
 Sebastian Arcus
 Serg G. Brester
 Sireyessire
--- a/config/action.d/firewallcmd-ipset.conf
+++ b/config/action.d/firewallcmd-ipset.conf
@ -14,7 +14,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -31,22 +31,6 @@ actionunban = ipset del fail2ban-<name> <ip> -exist
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ]
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
--- a/config/action.d/firewallcmd-new.conf
+++ b/config/action.d/firewallcmd-new.conf
@ -4,7 +4,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -24,22 +24,6 @@ actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <i
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ]
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@ -8,7 +8,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -53,18 +53,3 @@ actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/action.d/iptables-blocktype.conf
+++ b/config/action.d/iptables-blocktype.conf
@ -1,22 +0,0 @@
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
 #
 # This is a included configuration file and includes the defination for the blocktype
 # used in all iptables based actions by default.
 #
 # The user can override the default in iptables-blocktype.local
 [INCLUDES]
 after = iptables-blocktype.local
 [Init]
 # Option:  blocktype
 # Note:    This is what the action does with rules. This can be any jump target
 #          as per the iptables man page (section 8). Common values are DROP
 #          REJECT, REJECT --reject-with icmp-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp-port-unreachable
--- a/config/action.d/iptables-common.conf
+++ b/config/action.d/iptables-common.conf
@ -0,0 +1,45 @@
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
 #
 # This is a included configuration file and includes the definitions for the iptables
 # used in all iptables based actions by default.
 #
 # The user can override the defaults in iptables-common.local
 [INCLUDES]
 after = iptables-blocktype.local
        iptables-common.local
 # iptables-blocktype.local is obsolete
 [Init]
 # Option:  chain
 # Notes    specifies the iptables chain to which the Fail2Ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default:
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option:  blocktype
 # Note:    This is what the action does with rules. This can be any jump target
 #          as per the iptables man page (section 8). Common values are DROP
 #          REJECT, REJECT --reject-with icmp-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp-port-unreachable
--- a/config/action.d/iptables-ipset-proto4.conf
+++ b/config/action.d/iptables-ipset-proto4.conf
@ -19,7 +19,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -28,13 +28,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset --create f2b-<name> iphash
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
             ipset --flush f2b-<name>
             ipset --destroy f2b-<name>
@ -56,18 +56,3 @@ actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
 [Init]
 # Default name of the ipset
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default: ssh
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
--- a/config/action.d/iptables-ipset-proto6-allports.conf
+++ b/config/action.d/iptables-ipset-proto6-allports.conf
@ -15,8 +15,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -25,13 +24,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
-              iptables -I INPUT -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
             ipset flush f2b-<name>
             ipset destroy f2b-<name>
@ -53,12 +52,8 @@ actionunban = ipset del f2b-<name> <ip> -exist
 [Init]
 # Default name of the ipset
 #
 name = default
 # Option: bantime
 # Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
 # Values:  [ NUM ]  Default: 600
-
+#
 bantime = 600
--- a/config/action.d/iptables-ipset-proto6.conf
+++ b/config/action.d/iptables-ipset-proto6.conf
@ -15,8 +15,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -25,13 +24,13 @@ before = iptables-blocktype.conf
 # Values:  CMD
 #
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
             ipset flush f2b-<name>
             ipset destroy f2b-<name>
@ -53,24 +52,8 @@ actionunban = ipset del f2b-<name> <ip> -exist
 [Init]
 # Default name of the ipset
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default: ssh
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option: bantime
 # Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
 # Values:  [ NUM ]  Default: 600
-
+#
 bantime = 600
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@ -11,7 +11,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -60,24 +60,3 @@ actionunban = iptables -D f2b-<name> -s <ip> -j f2b-<name>-log
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default:
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@ -6,7 +6,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -50,24 +50,3 @@ actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default:
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@ -8,8 +8,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -53,24 +52,3 @@ actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default:
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/action.d/iptables-xt_recent-echo.conf
+++ b/config/action.d/iptables-xt_recent-echo.conf
@ -6,8 +6,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -33,14 +32,14 @@ before = iptables-blocktype.conf
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
+actionstart = if [ `id -u` -eq 0 ];then iptables -I <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = echo / > /proc/net/xt_recent/f2b-<name>
-             if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
+             if [ `id -u` -eq 0 ];then iptables -D <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -66,12 +65,3 @@ actionunban = echo -<ip> > /proc/net/xt_recent/f2b-<name>
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@ -6,7 +6,7 @@
 [INCLUDES]
-before = iptables-blocktype.conf
+before = iptables-common.conf
 [Definition]
@ -50,24 +50,3 @@ actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default:
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT