diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2013-10-31 05:21:01 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:50:33 +0200 |
| commit | a3be458262fdeeaae2acaf098e47ecabe62cad09 (patch) | |
| tree | 96c639d844ca8eb494989e0f3ff6d5c15a6edc4d | |
| parent | 662120af880623fd0ba16b83cd80320e1a3806cc (diff) | |
Use a dedicated 'fail2ban' chain for fail2ban.
So it doesn't mess with the high-priority rules regarding IPSec.
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 8 | ||||
| -rw-r--r-- | roles/common/templates/etc/fail2ban/jail.local.j2 | 4 |
2 files changed, 12 insertions, 0 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 8840174..a1589de 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -95,40 +95,41 @@ iptdiff() { fi [ $rv1 -eq 0 ] || log "WARN: The IP$v firewall is not up to date! Please run '$0'." [ $rv2 -eq 0 ] || log "WARN: The current IP$v firewall is not persistent! Please run '$0'." return $(( $rv1 | $rv2 )) } [ -n "$WAN" -o -n "$WAN6" ] || fatal "Error: couldn't find a network interface" # Store the existing table /sbin/iptables-save -t filter > "$oldv4table" /sbin/ip6tables-save -t filter > "$oldv6table" # The usual chains in filter, along with the desired default policies. cat > "$newv4table" <<- EOF *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] + :fail2ban - [0:0] EOF cp -f "$newv4table" "$newv6table" # Also, keep fail2ban chains tgrep ':fail2ban-' # (Host-to-host) IPSec tunnels come first. TODO: test IPSec on IPv6. tgrep ' -m policy --dir (in|out) --pol ipsec .* --proto esp -j ACCEPT$' # Allow any IPsec ESP protocol packets to be sent and received. iptables -A INPUT -i $WAN -p esp -j ACCEPT iptables -A OUTPUT -o $WAN -p esp -j ACCEPT ip6tables -A INPUT -i $WAN6 -p esp -j ACCEPT ip6tables -A OUTPUT -o $WAN6 -p esp -j ACCEPT # Then we have the fail2ban traps @@ -164,40 +165,47 @@ for ip6 in fc00::/7 fec0::/10 do ip6tables -A INPUT -i $WAN6 -s "$ip6" -j DROP ip6tables -A INPUT -i $WAN6 -d "$ip6" -j DROP done # DROP INVALID packets immediately. for chain in INPUT OUTPUT; do iptables -A $chain -m state --state INVALID -j DROP ip6tables -A $chain -m state --state INVALID -j DROP done # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +# Prepare fail2ban. We make fail2ban insert its rules in a dedicated +# chain, so that it doesn't mess up the existing rules. +# XXX: As of Wheezy, fail2ban is IPv4 only. See +# https://github.com/fail2ban/fail2ban/issues/39 for the current +# state of the art. +iptables -A INPUT -i $WAN -j fail2ban + # Allow all input/output to/from the loopback interface. iptables -A INPUT -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT iptables -A OUTPUT -o lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT ip6tables -A INPUT -i lo -s ::1/128 -d ::1/128 lo -j ACCEPT ip6tables -A OUTPUT -o lo -s ::1/128 -d ::1/128 lo -j ACCEPT # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done directly # by the kernel (net.ipv4.icmp_ratelimit and net.ipv4.icmp_ratemask # runtime options). See icmp(7). for type in echo-reply destination-unreachable echo-request; do iptables -A INPUT -i $WAN -p icmp -m icmp --icmp-type $type -j ACCEPT iptables -A OUTPUT -o $WAN -p icmp -m icmp --icmp-type $type -j ACCEPT done ip6tables -A INPUT -i $WAN6 -p icmpv6 -j ACCEPT ################################################################################## diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 818ec88..1cbcd88 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -1,29 +1,33 @@ # {{ ansible_managed }} # Do NOT edit this file directly! [DEFAULT] # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = admin@fripost.org +# Specify chain where jumps would need to be added in iptables-* actions +chain = fail2ban + +# Choose default action. action = %(action_)s # # JAILS # [ssh] enabled = true port = {{ ansible_ssh_port|default('22') }} filter = sshd logpath = /var/log/auth.log maxretry = 5 [ssh-ddos] enabled = true port = {{ ansible_ssh_port|default('22') }} filter = sshd-ddos logpath = /var/log/auth.log |