summaryrefslogtreecommitdiffstats
path: root/roles/common/files/usr
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files/usr')
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh8
1 files changed, 8 insertions, 0 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 8840174..a1589de 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -112,6 +112,7 @@ cat > "$newv4table" <<- EOF
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
+ :fail2ban - [0:0]
EOF
cp -f "$newv4table" "$newv6table"
@@ -181,6 +182,13 @@ iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+# Prepare fail2ban. We make fail2ban insert its rules in a dedicated
+# chain, so that it doesn't mess up the existing rules.
+# XXX: As of Wheezy, fail2ban is IPv4 only. See
+# https://github.com/fail2ban/fail2ban/issues/39 for the current
+# state of the art.
+iptables -A INPUT -i $WAN -j fail2ban
+
# Allow all input/output to/from the loopback interface.
iptables -A INPUT -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT