diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2013-10-31 05:21:01 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:50:33 +0200 |
commit | a3be458262fdeeaae2acaf098e47ecabe62cad09 (patch) | |
tree | 96c639d844ca8eb494989e0f3ff6d5c15a6edc4d /roles/common/files/usr/local | |
parent | 662120af880623fd0ba16b83cd80320e1a3806cc (diff) |
Use a dedicated 'fail2ban' chain for fail2ban.
So it doesn't mess with the high-priority rules regarding IPSec.
Diffstat (limited to 'roles/common/files/usr/local')
-rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 8840174..a1589de 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -112,6 +112,7 @@ cat > "$newv4table" <<- EOF :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] + :fail2ban - [0:0] EOF cp -f "$newv4table" "$newv6table" @@ -181,6 +182,13 @@ iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +# Prepare fail2ban. We make fail2ban insert its rules in a dedicated +# chain, so that it doesn't mess up the existing rules. +# XXX: As of Wheezy, fail2ban is IPv4 only. See +# https://github.com/fail2ban/fail2ban/issues/39 for the current +# state of the art. +iptables -A INPUT -i $WAN -j fail2ban + # Allow all input/output to/from the loopback interface. iptables -A INPUT -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT |