Le 2014-11-06 16:22, Scott Hollenbeck a écrit : > Note the DROP target; this is what I expect to see. My actionban entry > in > /etc/fail2ban/action.d/iptables-multiport.conf is this: > >> actionban = if ! iptables -C fail2ban-<name> -s <ip> -j DROP; then >> iptables -I fail2ban-<name> 1 -s <ip> -j DROP; fi > > […] > Note the error message and the parameters being passed to iptables, > especially the "-j REJECT --reject-with icmp-port-unreachable" part. > Here's > my actionunban and actionstop entries in > /etc/fail2ban/action.d/iptables-multiport.conf: > >> actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
Daniel Carrasco Marìn has it right. If you define your ban/unban actions with different iptables targets, you're just asking for trouble. In my opinion, though, it is better to change the actionban with "-j <blocktype>", rather than changing actionunban with "-j DROP". Indeed, since <blocktype> exists, as well use it. You can always assign to <blocktype> a jail-specific value if you want. > […] > So I'm not surprised that iptables returns an error - it's being asked > to > perform an action for an entry on the chain that it can't match. What I > don't understand is where the "-j REJECT --reject-with > icmp-port-unreachable" came from. Can anyone suggest some clues? Given > the > parameter mis-match I don't think this is related to the race condition > I've > seen described in other places when starting and stopping fail2ban. I assume your config file is /etc/fail2ban/jail.local. Look in this file for a line like this: blocktype = … That's where blocktype comes from. If you don't find it, then look into /etc/fail2ban/jail.conf, or into any file that would be included in either of these. Anyway, wherever this variable is defined, you can redefine it. Another possibility is that this is rather a parameter. It would then be defined in the iptables-multiport.conf file under the [Init] section. In this case, changing the value is just a matter of passing the right parameter. For exemple, in /etc/fail2ban/jail.local, your action would look like: action = iptables-multiport[blocktype="DROP", …] Yves. ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
