Thanks I think youre right about the actionunban. It turns out that the value of <blocktype> is defined in iptables-blocktype.conf, which includes this line:
blocktype = REJECT --reject-with icmp-port-unreachable iptables-multiport.conf [INCLUDES] iptables-blocktype.conf, so that explains where the value is coming from. The fix is to make the blocktype consistent on the actionban and actionunban directives. Scott From: Daniel Carrasco Marín [mailto:[email protected]] Sent: Thursday, November 06, 2014 11:23 AM To: [email protected] Subject: Re: [Fail2ban-users] iptables Error When Stopping Jails Hi, first of all i'm sorry for my english. I'm new in fail2ban, but i think that the problem is unban command: actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> I think it should be like ban command but with -D instead -I, and without "1": actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP I'm using that commands in a permanent ban script and works fine. Maybe <blocktype> is a reserved word with info about block type (i really don't know). Greetings!!! El 06/11/14 a las 16:22, Scott Hollenbeck escribió: I'm trying to figure out why I'm getting an error from iptables when restarting fail2ban and it goes through the process of stopping my jails and unbanning entries in the chains set up by fail2ban. Here's an example of the error I see: 2014-11-06 10:10:39,934 fail2ban.actions: WARNING [spam] Unban 192.3.100.7 2014-11-06 10:10:39,961 fail2ban.actions.action: ERROR iptables -D fail2ban-spam -s 192.3.100.7 -j REJECT --reject-with icmp-port-unreachable returned 100 2014-11-06 10:10:40,005 fail2ban.jail : INFO Jail 'spam' stopped I think I see what's causing the error, but I'm not sure of how I got here. Can anyone see anything here's that's obviously wrong? I'm running Fail2Ban v0.8.11 on an Ubuntu 14.04.1 LTS server. Here's what I'm doing: 1. Restart fail2ban: $ sudo service fail2ban restart 2. Wait for a new address to be banned and added to the fail2ban-<name> chain. From /var/log/fail2ban.log: 2014-11-06 10:00:45,484 fail2ban.actions: WARNING [spam] Ban 192.3.100.7 3. Look at the new entry in the chain: $ sudo iptables -n -L fail2ban-spam | grep 192.3.100.7 DROP all -- 192.3.100.7 0.0.0.0/0 $ Note the DROP target; this is what I expect to see. My actionban entry in /etc/fail2ban/action.d/iptables-multiport.conf is this: actionban = if ! iptables -C fail2ban-<name> -s <ip> -j DROP; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP; fi 4. Restart fail2ban: $ sudo service fail2ban restart 5. Look at the fail2ban log: $ sudo vi /var/log/fail2ban.log 2014-11-06 10:10:39,934 fail2ban.actions: WARNING [spam] Unban 192.3.100.7 2014-11-06 10:10:39,961 fail2ban.actions.action: ERROR iptables -D fail2ban-spam -s 192.3.100.7 -j REJECT --reject-with icmp-port-unreachable returned 100 2014-11-06 10:10:40,005 fail2ban.jail : INFO Jail 'spam' stopped Note the error message and the parameters being passed to iptables, especially the "-j REJECT --reject-with icmp-port-unreachable" part. Here's my actionunban and actionstop entries in /etc/fail2ban/action.d/iptables-multiport.conf: actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> So I'm not surprised that iptables returns an error - it's being asked to perform an action for an entry on the chain that it can't match. What I don't understand is where the "-j REJECT --reject-with icmp-port-unreachable" came from. Can anyone suggest some clues? Given the parameter mis-match I don't think this is related to the race condition I've seen described in other places when starting and stopping fail2ban. Thank you, Scott ---------------------------------------------------------------------------- -- _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- ------------------------------------------------------------ Daniel Carrasco Marín Técnicas Territoriales y Urbanas, S.L. C/ Zurbano 92, 2º, 28003 Madrid Tfno.: +34 91 571 93 46 (ext. 148) # Fax: +34 91 571 58 72 ------------------------------------------------------------
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
