Why not use standard f2b chains. Change the default actionban rule to -I instead of -A. Then change the actionstart rules so the firewall add rule adds a rule to jump to your BLOCKED_IP_LOG only.
Nick On 2016-12-28 16:16, Andrea wrote: >> >> >> On 28-12-16 16:04, Andrea wrote: >>> Hi all. >>> >>> I am trying to implement a custom ban action to integrate in my >>> current >>> iptables setup. >>> I have created a dedicated chain in order to log connections at >>> iptables >>> level and I would like for fail2ban to use it as well. >>> AFAIK what I have so far should work however it keeps giving me >>> errors >>> in >>> the logfile: >>> >>> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR >>> iptables >>> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100 >>> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR >>> Invariant >>> check failed. Trying to restore a sane environment >>> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: ERROR >>> iptables >>> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100 >>> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: CRITICAL >>> Unable >>> to >>> restore environment >>> >>> I don't need actionstart/actionstop since the chain is created in the >>> firewall script: >>> >>> /sbin/iptables -N BLOCKED_IP_LOG >>> /sbin/iptables -A BLOCKED_IP_LOG -j LOG -m limit --limit 10/min >>> --log-level 4 --log-prefix 'BLOCKED_IP_LOG: ' >>> /sbin/iptables -A BLOCKED_IP_LOG -j DROP >>> >>> This is my custom action configuration (derived from >>> iptables-multiport): >>> >>> root@hpsrv:/etc/fail2ban/action.d# cat iptables-custom.conf >>> >>> [INCLUDES] >>> >>> before = iptables-blocktype.conf >>> >>> [Definition] >>> >>> actionstart = >>> >>> actionstop = >>> >>> # Option: actioncheck >>> # Notes.: command executed once before each actionban command >>> # Values: CMD >>> # >>> actioncheck = iptables -n -L <chain> | grep -q 'BLOCKED_IP_LOG' >>> >>> # Option: actionban >>> # Notes.: command executed when banning an IP. Take care that the >>> # command is executed with Fail2Ban user rights. >>> # Tags: See jail.conf(5) man page >>> # Values: CMD >>> # >>> actionban = iptables -I <chain> 1 -s <ip> -j BLOCKED_IP_LOG >>> >>> # Option: actionunban >>> # Notes.: command executed when unbanning an IP. Take care that the >>> # command is executed with Fail2Ban user rights. >>> # Tags: See jail.conf(5) man page >>> # Values: CMD >>> # >>> actionunban = iptables -D <chain> -s <ip> -j BLOCKED_IP_LOG >>> >>> [Init] >>> >>> # Default name of the chain >>> # >>> name = default >>> >>> # Option: port >>> # Notes.: specifies port to monitor >>> # Values: [ NUM | STRING ] Default: >>> # >>> port = ssh >>> >>> # Option: protocol >>> # Notes.: internally used by config reader for interpolations. >>> # Values: [ tcp | udp | icmp | all ] Default: tcp >>> # >>> protocol = tcp >>> >>> # Option: chain >>> # Notes specifies the iptables chain to which the fail2ban rules >>> should be >>> # added >>> # Values: STRING Default: INPUT >>> chain = INPUT >>> >>> >>> What am I doing wrong? >> >> What happens when you run: >> /sbin/iptables -N BLOCKED_IP_LOG > > As I've mentioned in my previous mail, the chain is created at OS boot > when the firewall is initialized. > Hence BLOCKED_IP_LOG will exists before fail2ban starts. > >> and then run execute the failing f2b check command: >> >> iptables -n -L INPUT | grep -q 'BLOCKED_IP_LOG' > > The chain is not empty (a few rules are added on firewall init) but I > don't see why this should be an issue for fail2ban. > >> >> You probably need to alter the "chain = INPUT" variable to your >> contain >> custom chain name. >> > > I'm afraid this will not work because what I need fail2ban to do is add > the rule to the default INPUT chain with jump to BLOCKED_IP_LOG where > the > packets will be logged then dropped. > The <chain> parameter is correct. > > Andrea > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
