#6 Use a separate chain for banning

closed
nobody
None
5
2005-07-15
2005-07-12
Gatak
No

Instead of appending everying to the INPUT chain use a
custom chain:

First create the new chain and add the rule to jump there:

iptables -I INPUT -i eth1 -p tcp --dport ssh -j FWBAN
iptables -A FWBAN -j RETURN

Then to add ips:

iptables -I FWBAN 1 -i eth1 -s <ip> -j DROP

This way you would only use resources for the IPs that
try to hack in to SSH.

Of course you may want to block all access from these
IPs. Then you should not use --dport, but only this:

iptables -I INPUT -i eth1 -j FWBAN
or
iptables -I INPUT -i eth1 -m state --state NEW -j FWBAN

It is just a thought.

Discussion

  • Cyril Jaquier
    Cyril Jaquier
    2005-07-12

    Logged In: YES
    user_id=933467

    Hi,

    This can be done easily with Fail2Ban >= 0.5.0. Firewall
    commands are defined in the configuration file.

    I still need to add better iptables rules by default in the
    configuration file.

    Thank you

     
  • Gatak
    Gatak
    2005-07-12

    Logged In: YES
    user_id=820001

    Yes I saw this and am using it myself. It was just a
    suggestion to use as default to avoid creating extreamly a
    large INPUT chain, and also to make it easier to understand
    which IPs came from Fail2Ban and which were not.

    Perhaps you could also use keywords in the config file?

    ipt=/sbin/iptables
    ext=eth1
    int=eth0
    if=$ext
    chain=FWBAN
    target=DROP (some migth want to use REJECT?)

    $ipt -I $chain -i $if -s $ip -j $target

     
  • Cyril Jaquier
    Cyril Jaquier
    2005-07-12

    Logged In: YES
    user_id=933467

    I will change the default values in fail2ban.conf in order
    to create a new chain and add banned ip to it. As you said,
    it will be easier to understand what is going on.

    I will look if keywords in the configuration file is easy to
    handle or not. It would be a good idea but it is possible
    that it would add too much complexity...

    Thanks for your comments :-)

     
  • Gatak
    Gatak
    2005-07-12

    Logged In: YES
    user_id=820001

    Yes you are right that keeping things easy is probably more
    important. =) The $keyword things would only be for
    convenience and doesn't really add any specific functionality.

     
  • Gatak
    Gatak
    2005-07-12

    Logged In: YES
    user_id=820001

    Yes you are right that keeping things easy is probably more
    important. =) The $keyword things would only be for
    convenience and doesn't really add any specific functionality.

     
  • Gatak
    Gatak
    2005-07-12

    Logged In: YES
    user_id=820001

    Yes you are right that keeping things easy is probably more
    important. =) The $keyword things would only be for
    convenience and doesn't really add any specific functionality.

     
  • Cyril Jaquier
    Cyril Jaquier
    2005-07-15

    • status: open --> closed
     
  • Cyril Jaquier
    Cyril Jaquier
    2005-07-15

    Logged In: YES
    user_id=933467

    Added in CVS branch FAIL2BAN-0_5