Use a dedicated 'fail2ban' chain for fail2ban.

So it doesn't mess with the high-priority rules regarding IPSec.

1 files changed, 8 insertions, 0 deletions

diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 8840174..a1589de 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -95,40 +95,41 @@ iptdiff() {
     fi
 
     [ $rv1 -eq 0 ] || log "WARN: The IP$v firewall is not up to date! Please run '$0'."
     [ $rv2 -eq 0 ] || log "WARN: The current IP$v firewall is not persistent! Please run '$0'."
 
     return $(( $rv1 | $rv2 ))
 }
 
 [ -n "$WAN" -o -n "$WAN6" ] || fatal "Error: couldn't find a network interface"
 
 # Store the existing table
 /sbin/iptables-save  -t filter > "$oldv4table"
 /sbin/ip6tables-save -t filter > "$oldv6table"
 
 # The usual chains in filter, along with the desired default policies.
 cat > "$newv4table" <<- EOF
 	*filter
 	:INPUT   DROP [0:0]
 	:FORWARD DROP [0:0]
 	:OUTPUT  DROP [0:0]
+	:fail2ban -   [0:0]
 EOF
 cp -f "$newv4table" "$newv6table"
 
 # Also, keep fail2ban chains
 tgrep ':fail2ban-'
 
 
 # (Host-to-host) IPSec tunnels come first. TODO: test IPSec on IPv6.
 tgrep ' -m policy --dir (in|out) --pol ipsec .* --proto esp -j ACCEPT$'
 
 
 # Allow any IPsec ESP protocol packets to be sent and received.
 iptables -A INPUT  -i $WAN -p esp -j ACCEPT
 iptables -A OUTPUT -o $WAN -p esp -j ACCEPT
 
 ip6tables -A INPUT  -i $WAN6 -p esp -j ACCEPT
 ip6tables -A OUTPUT -o $WAN6 -p esp -j ACCEPT
 
 
 # Then we have the fail2ban traps
@@ -164,40 +165,47 @@ for ip6 in fc00::/7 fec0::/10
 do
     ip6tables -A INPUT -i $WAN6 -s "$ip6" -j DROP
     ip6tables -A INPUT -i $WAN6 -d "$ip6" -j DROP
 done
 
 
 # DROP INVALID packets immediately.
 for chain in INPUT OUTPUT; do
     iptables  -A $chain -m state --state INVALID -j DROP
     ip6tables -A $chain -m state --state INVALID -j DROP
 done
 
 
 # DROP bogus TCP packets.
 iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
 iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
 ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
+# Prepare fail2ban. We make fail2ban insert its rules in a dedicated
+# chain, so that it doesn't mess up the existing rules.
+# XXX: As of Wheezy, fail2ban is IPv4 only. See
+#      https://github.com/fail2ban/fail2ban/issues/39 for the current
+#      state of the art.
+iptables -A INPUT -i $WAN -j fail2ban
+
 
 # Allow all input/output to/from the loopback interface.
 iptables -A INPUT  -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
 iptables -A OUTPUT -o lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
 
 ip6tables -A INPUT  -i lo -s ::1/128 -d ::1/128 lo -j ACCEPT
 ip6tables -A OUTPUT -o lo -s ::1/128 -d ::1/128 lo -j ACCEPT
 
 
 # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done directly
 # by the kernel (net.ipv4.icmp_ratelimit and net.ipv4.icmp_ratemask
 # runtime options). See icmp(7).
 for type in  echo-reply destination-unreachable echo-request; do
     iptables -A INPUT  -i $WAN -p icmp -m icmp --icmp-type $type -j ACCEPT
     iptables -A OUTPUT -o $WAN -p icmp -m icmp --icmp-type $type -j ACCEPT
 done
 ip6tables -A INPUT -i $WAN6 -p icmpv6 -j ACCEPT
 
 
 ##################################################################################