# Fail2Ban configuration file # # Author: Daniel Black # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko <debian@onerussian.com> # made active on all ports from original iptables.conf # Modified: Alexander Belykh <albel727@ngs.ru> # adapted for nftables # # This is a included configuration file and includes the definitions for the nftables # used in all nftables based actions by default. # # The user can override the defaults in nftables-common.local [INCLUDES] after = nftables-common.local [Definition] # Option: nftables_mode # Notes.: additional expressions for nftables filter rule # Values: nftables expressions # nftables_mode = <protocol> dport \{ <port> \} # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = <nftables> add set <nftables_family> <nftables_table> <set_name> \{ type <nftables_type>\; \} <nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s <address_family> saddr @<set_name> <blocktype> _nft_list = <nftables> --handle --numeric list chain <nftables_family> <nftables_table> <chain> _nft_get_handle_id = grep -m1 '<address_family> saddr @<set_name> <blocktype> # handle' | grep -oe ' handle [0-9]*' # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s) <nftables> delete rule <nftables_family> <nftables_table> <chain> $HANDLE_ID <nftables> delete set <nftables_family> <nftables_table> <set_name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@<set_name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = <nftables> add element <nftables_family> <nftables_table> <set_name> \{ <ip> \} # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = <nftables> delete element <nftables_family> <nftables_table> <set_name> \{ <ip> \} [Init] # Option: nftables_type # Notes.: address type to work with # Values: [ipv4_addr | ipv6_addr] Default: ipv4_addr # nftables_type = ipv4_addr # Option: nftables_family # Notes.: address family to work in # Values: [ip | ip6 | inet] Default: inet # nftables_family = inet # Option: nftables_table # Notes.: table in the address family to work in # Values: STRING Default: filter # nftables_table = filter # Option: chain # Notes specifies the nftables chain to which the Fail2Ban rules should be # added # Values: STRING Default: input chain = input # Default name of the filtering set # name = default # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp ] Default: tcp # protocol = tcp # Option: blocktype # Note: This is what the action does with rules. This can be any jump target # as per the nftables man page (section 8). Common values are drop # reject, reject with icmp type host-unreachable # Values: STRING blocktype = reject # Option: nftables # Notes.: Actual command to be executed, including common to all calls options # Values: STRING nftables = nft # Option: set_name # Notes.: The name of the nft set used to store banned addresses # Values: STRING set_name = f2b-<name> # Option: address_family # Notes.: The family of the banned addresses # Values: [ ip | ip6 ] address_family = ip [Init?family=inet6] nftables_type = ipv6_addr set_name = f2b-<name>6 address_family = ip6