From a3be458262fdeeaae2acaf098e47ecabe62cad09 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 31 Oct 2013 05:21:01 +0100 Subject: Use a dedicated 'fail2ban' chain for fail2ban. So it doesn't mess with the high-priority rules regarding IPSec. --- roles/common/files/usr/local/sbin/update-firewall.sh | 8 ++++++++ roles/common/templates/etc/fail2ban/jail.local.j2 | 4 ++++ 2 files changed, 12 insertions(+) (limited to 'roles') diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 8840174..a1589de 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -112,6 +112,7 @@ cat > "$newv4table" <<- EOF :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] + :fail2ban - [0:0] EOF cp -f "$newv4table" "$newv6table" @@ -181,6 +182,13 @@ iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +# Prepare fail2ban. We make fail2ban insert its rules in a dedicated +# chain, so that it doesn't mess up the existing rules. +# XXX: As of Wheezy, fail2ban is IPv4 only. See +# https://github.com/fail2ban/fail2ban/issues/39 for the current +# state of the art. +iptables -A INPUT -i $WAN -j fail2ban + # Allow all input/output to/from the loopback interface. iptables -A INPUT -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 818ec88..1cbcd88 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -7,6 +7,10 @@ # jail.{conf,local} configuration files. destemail = admin@fripost.org +# Specify chain where jumps would need to be added in iptables-* actions +chain = fail2ban + +# Choose default action. action = %(action_)s # -- cgit v1.2.3