github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

make several iptables actions more breakdown-safe: start wouldn't fail if chain or rule already exists (e. g. created by previous instance and doesn't get purged properly); 

ultimately closes gh-980
pull/2990/merge
sebres 2022-01-25 00:00:40 +01:00
parent 3d7e3bc2fb
commit b639c8869c
3 changed files with 43 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/action.d/iptables-ipset.conf
View File

@ -25,7 +25,7 @@ before = iptables.conf
# Values: CMD # Values: CMD
# #
actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt> actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
<iptables> -I <chain> %(_ipt_chain_rule)s { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
# Option: actionflush # Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)

5
config/action.d/iptables.conf
View File

@ -22,9 +22,8 @@ actionflush = <iptables> -F f2b-<name>
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD # Values: CMD
# #
actionstart = <iptables> -N f2b-<name> actionstart = { <iptables> -C f2b-<name> -j <returntype> >/dev/null 2>&1; } || { <iptables> -N f2b-<name> || true; <iptables> -A f2b-<name> -j <returntype>; }
<iptables> -A f2b-<name> -j <returntype> { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
<iptables> -I <chain> %(_ipt_chain_rule)s
# Option: actionstop # Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)

68
fail2ban/tests/servertestcase.py
View File

@ -1506,14 +1506,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
('j-w-iptables-mp', 'iptables-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain="<known/chain>"]', { ('j-w-iptables-mp', 'iptables-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain="<known/chain>"]', {
'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'), 'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'),
'ip4-start': ( 'ip4-start': (
"`iptables -w -N f2b-j-w-iptables-mp`", "`{ iptables -w -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || "
"`iptables -w -A f2b-j-w-iptables-mp -j RETURN`", "{ iptables -w -N f2b-j-w-iptables-mp || true; iptables -w -A f2b-j-w-iptables-mp -j RETURN; }`",
"`iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`", "`{ iptables -w -C INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || "
"{ iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`",
), ),
'ip6-start': ( 'ip6-start': (
"`ip6tables -w -N f2b-j-w-iptables-mp`", "`{ ip6tables -w -C f2b-j-w-iptables-mp -j RETURN >/dev/null 2>&1; } || "
"`ip6tables -w -A f2b-j-w-iptables-mp -j RETURN`", "{ ip6tables -w -N f2b-j-w-iptables-mp || true; ip6tables -w -A f2b-j-w-iptables-mp -j RETURN; }`",
"`ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`", "`{ ip6tables -w -C INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp >/dev/null 2>&1; } || ",
"{ ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp; }`",
), ),
'flush': ( 'flush': (
"`iptables -w -F f2b-j-w-iptables-mp`", "`iptables -w -F f2b-j-w-iptables-mp`",
@ -1550,14 +1552,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
('j-w-iptables-ap', 'iptables-allports[name=%(__name__)s, bantime="10m", protocol="tcp", chain="<known/chain>"]', { ('j-w-iptables-ap', 'iptables-allports[name=%(__name__)s, bantime="10m", protocol="tcp", chain="<known/chain>"]', {
'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'), 'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'),
'ip4-start': ( 'ip4-start': (
"`iptables -w -N f2b-j-w-iptables-ap`", "`{ iptables -w -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || "
"`iptables -w -A f2b-j-w-iptables-ap -j RETURN`", "{ iptables -w -N f2b-j-w-iptables-ap || true; iptables -w -A f2b-j-w-iptables-ap -j RETURN; }`",
"`iptables -w -I INPUT -p tcp -j f2b-j-w-iptables-ap`", "`{ iptables -w -C INPUT -p tcp -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || ",
"{ iptables -w -I INPUT -p tcp -j f2b-j-w-iptables-ap; }`",
), ),
'ip6-start': ( 'ip6-start': (
"`ip6tables -w -N f2b-j-w-iptables-ap`", "`{ ip6tables -w -C f2b-j-w-iptables-ap -j RETURN >/dev/null 2>&1; } || "
"`ip6tables -w -A f2b-j-w-iptables-ap -j RETURN`", "{ ip6tables -w -N f2b-j-w-iptables-ap || true; ip6tables -w -A f2b-j-w-iptables-ap -j RETURN; }`",
"`ip6tables -w -I INPUT -p tcp -j f2b-j-w-iptables-ap`", "`{ ip6tables -w -C INPUT -p tcp -j f2b-j-w-iptables-ap >/dev/null 2>&1; } || ",
"{ ip6tables -w -I INPUT -p tcp -j f2b-j-w-iptables-ap; }`",
), ),
'flush': ( 'flush': (
"`iptables -w -F f2b-j-w-iptables-ap`", "`iptables -w -F f2b-j-w-iptables-ap`",
@ -1595,11 +1599,13 @@ class ServerConfigReaderTests(LogCaptureTestCase):
'ip4': (' f2b-j-w-iptables-ipset ',), 'ip6': (' f2b-j-w-iptables-ipset6 ',), 'ip4': (' f2b-j-w-iptables-ipset ',), 'ip6': (' f2b-j-w-iptables-ipset6 ',),
'ip4-start': ( 'ip4-start': (
"`ipset -exist create f2b-j-w-iptables-ipset hash:ip timeout 0 `", "`ipset -exist create f2b-j-w-iptables-ipset hash:ip timeout 0 `",
"`iptables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`", "`{ iptables -w -C INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || "
"{ iptables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable; }`",
), ),
'ip6-start': ( 'ip6-start': (
"`ipset -exist create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`", "`ipset -exist create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`",
"`ip6tables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`", "`{ ip6tables -w -C INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || "
"{ ip6tables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable; }`",
), ),
'flush': ( 'flush': (
"`ipset flush f2b-j-w-iptables-ipset`", "`ipset flush f2b-j-w-iptables-ipset`",
@ -1637,11 +1643,13 @@ class ServerConfigReaderTests(LogCaptureTestCase):
'ip4': (' f2b-j-w-iptables-ipset-ap ',), 'ip6': (' f2b-j-w-iptables-ipset-ap6 ',), 'ip4': (' f2b-j-w-iptables-ipset-ap ',), 'ip6': (' f2b-j-w-iptables-ipset-ap6 ',),
'ip4-start': ( 'ip4-start': (
"`ipset -exist create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `", "`ipset -exist create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `",
"`iptables -w -I INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`", "`{ iptables -w -C INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || "
"{ iptables -w -I INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable; }",
), ),
'ip6-start': ( 'ip6-start': (
"`ipset -exist create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`", "`ipset -exist create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`",
"`ip6tables -w -I INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`", "`{ ip6tables -w -C INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable >/dev/null 2>&1; } || "
"{ ip6tables -w -I INPUT -p tcp -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable; }",
), ),
'flush': ( 'flush': (
"`ipset flush f2b-j-w-iptables-ipset-ap`", "`ipset flush f2b-j-w-iptables-ipset-ap`",
@ -1678,14 +1686,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
('j-w-iptables', 'iptables[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"]', { ('j-w-iptables', 'iptables[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"]', {
'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'), 'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'),
'ip4-start': ( 'ip4-start': (
"`iptables -w -N f2b-j-w-iptables`", "`{ iptables -w -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || "
"`iptables -w -A f2b-j-w-iptables -j RETURN`", "{ iptables -w -N f2b-j-w-iptables || true; iptables -w -A f2b-j-w-iptables -j RETURN; }",
"`iptables -w -I INPUT -p tcp --dport http -j f2b-j-w-iptables`", "`{ iptables -w -C INPUT -p tcp --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || "
"{ iptables -w -I INPUT -p tcp --dport http -j f2b-j-w-iptables; }`",
), ),
'ip6-start': ( 'ip6-start': (
"`ip6tables -w -N f2b-j-w-iptables`", "`{ ip6tables -w -C f2b-j-w-iptables -j RETURN >/dev/null 2>&1; } || "
"`ip6tables -w -A f2b-j-w-iptables -j RETURN`", "{ ip6tables -w -N f2b-j-w-iptables || true; ip6tables -w -A f2b-j-w-iptables -j RETURN; }",
"`ip6tables -w -I INPUT -p tcp --dport http -j f2b-j-w-iptables`", "`{ ip6tables -w -C INPUT -p tcp --dport http -j f2b-j-w-iptables >/dev/null 2>&1; } || "
"{ ip6tables -w -I INPUT -p tcp --dport http -j f2b-j-w-iptables; }`",
), ),
'flush': ( 'flush': (
"`iptables -w -F f2b-j-w-iptables`", "`iptables -w -F f2b-j-w-iptables`",
@ -1722,14 +1732,16 @@ class ServerConfigReaderTests(LogCaptureTestCase):
('j-w-iptables-new', 'iptables-new[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"]', { ('j-w-iptables-new', 'iptables-new[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"]', {
'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'), 'ip4': ('`iptables ', 'icmp-port-unreachable'), 'ip6': ('`ip6tables ', 'icmp6-port-unreachable'),
'ip4-start': ( 'ip4-start': (
"`iptables -w -N f2b-j-w-iptables-new`", "`{ iptables -w -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || "
"`iptables -w -A f2b-j-w-iptables-new -j RETURN`", "{ iptables -w -N f2b-j-w-iptables-new || true; iptables -w -A f2b-j-w-iptables-new -j RETURN; }`",
"`iptables -w -I INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`", "`{ iptables -w -C INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || "
"{ iptables -w -I INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new; }`",
), ),
'ip6-start': ( 'ip6-start': (
"`ip6tables -w -N f2b-j-w-iptables-new`", "`{ ip6tables -w -C f2b-j-w-iptables-new -j RETURN >/dev/null 2>&1; } || "
"`ip6tables -w -A f2b-j-w-iptables-new -j RETURN`", "{ ip6tables -w -N f2b-j-w-iptables-new || true; ip6tables -w -A f2b-j-w-iptables-new -j RETURN; }`",
"`ip6tables -w -I INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`", "`{ ip6tables -w -C INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new >/dev/null 2>&1; } || "
"{ ip6tables -w -I INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new; }`",
), ),
'flush': ( 'flush': (
"`iptables -w -F f2b-j-w-iptables-new`", "`iptables -w -F f2b-j-w-iptables-new`",