Re: [CentOS] iptables - how to block established connections with fail2ban?

[Mike Burger]

On 2019-06-26 02:41, MRob wrote:
I am working to a CentOS 6 server with nonstandard iptables system
without rule for ACCEPT ESTABLISHED connections. All tables and chains
empty (flush by legacy custom script) so only filter/INPUT chain has
rules (also fail2ban chain):
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-postfix   tcp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
dpt:995
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x17/0x02

Chain f2b-postfix (1 references)
target     prot opt source               destination
REJECT     all  --  200.23.235.30        0.0.0.0/0
reject-with icmp-port-unreachable
REJECT     all  --  177.11.167.57        0.0.0.0/0
reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

When fail2ban block a IP address, established connections are allowed
to continue, but with no rule to accept established connections how is
that possible? Why doesn't f2b first rule block established
connections?

The short answer is that the firewall rules REJECT...Fail2Ban only tells 
the firewall what to reject, at the point of entry.

Think of it this way:

Fail2Ban is the manager of a popular dance club. He determines the list 
of who may or may not be admitted to the club.

The firewall is the guy at the door of a popular club. He's doing his 
job, checking IDs, checking against the list of allowed or rejected 
guests and acting accordingly.

If the manager updates the list, it's not the door guy's job to go back 
through the club to find anyone who may have been admitted prior to the 
list having been updated. That's the job of a bouncer.

If you want the door guy to also be a bouncer, you'll need to configure 
your Fail2Ban actions to add iptables rules which invoke DROP instead of 
REJECT.

--
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos