From a3be458262fdeeaae2acaf098e47ecabe62cad09 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 31 Oct 2013 05:21:01 +0100
Subject: Use a dedicated 'fail2ban' chain for fail2ban.

So it doesn't mess with the high-priority rules regarding IPSec.
---
 roles/common/files/usr/local/sbin/update-firewall.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'roles/common/files/usr')

diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 8840174..a1589de 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -112,6 +112,7 @@ cat > "$newv4table" <<- EOF
 	:INPUT   DROP [0:0]
 	:FORWARD DROP [0:0]
 	:OUTPUT  DROP [0:0]
+	:fail2ban -   [0:0]
 EOF
 cp -f "$newv4table" "$newv6table"
 
@@ -181,6 +182,13 @@ iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
+# Prepare fail2ban. We make fail2ban insert its rules in a dedicated
+# chain, so that it doesn't mess up the existing rules.
+# XXX: As of Wheezy, fail2ban is IPv4 only. See
+#      https://github.com/fail2ban/fail2ban/issues/39 for the current
+#      state of the art.
+iptables -A INPUT -i $WAN -j fail2ban
+
 
 # Allow all input/output to/from the loopback interface.
 iptables -A INPUT  -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-- 
cgit v1.2.3