> -----Original Message----- > From: Yves [mailto:[email protected]] > Sent: Friday, November 7, 2014 3:14 AM > To: [email protected] > Subject: Re: [Fail2ban-users] iptables Error When Stopping Jails > > Le 2014-11-06 16:22, Scott Hollenbeck a écrit : > > Note the DROP target; this is what I expect to see. My actionban entry > > in > > /etc/fail2ban/action.d/iptables-multiport.conf is this: > > > >> actionban = if ! iptables -C fail2ban-<name> -s <ip> -j DROP; then > >> iptables -I fail2ban-<name> 1 -s <ip> -j DROP; fi > > > > […] > > Note the error message and the parameters being passed to iptables, > > especially the "-j REJECT --reject-with icmp-port-unreachable" part. > > Here's > > my actionunban and actionstop entries in > > /etc/fail2ban/action.d/iptables-multiport.conf: > > > >> actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> > > Daniel Carrasco Marìn has it right. > If you define your ban/unban actions with different iptables targets, > you're just asking for trouble. > In my opinion, though, it is better to change the actionban with "-j > <blocktype>", rather than changing actionunban with "-j DROP". Indeed, > since <blocktype> exists, as well use it. You can always assign to > <blocktype> a jail-specific value if you want. > > > […] > > So I'm not surprised that iptables returns an error - it's being asked > > to > > perform an action for an entry on the chain that it can't match. What I > > don't understand is where the "-j REJECT --reject-with > > icmp-port-unreachable" came from. Can anyone suggest some clues? > Given > > the > > parameter mis-match I don't think this is related to the race condition > > I've > > seen described in other places when starting and stopping fail2ban. > > I assume your config file is /etc/fail2ban/jail.local. Look in this file > for a line like this: > blocktype = … > That's where blocktype comes from. If you don't find it, then look into > /etc/fail2ban/jail.conf, or into any file that would be included in > either of these. Anyway, wherever this variable is defined, you can > redefine it. > > Another possibility is that this is rather a parameter. It would then be > defined in the iptables-multiport.conf file under the [Init] section. In > this case, changing the value is just a matter of passing the right > parameter. For exemple, in /etc/fail2ban/jail.local, your action would > look like: > action = iptables-multiport[blocktype="DROP", …]
This is indeed the case. The default value is set in /etc/fail2ban/action.d/iptables-blocktype.conf. Yes, adjusting the value in jail.local or a new /etc/fail2ban/action.d/iptables-blocktype.local is a much better idea. Thanks for the tip! Scott ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
