Re: [Fail2ban-users] fail2ban not update INPUT chain

Fri, 13 Aug 2021 01:50:21 -0700 



On 12/08/2021 22:58, Alain D D Williams wrote:


On Thu, Aug 12, 2021 at 09:25:57PM +0100, Nick Howitt wrote:



On 12/08/2021 20:37, Alain D D Williams wrote:


Hi,

I have just installed fail2ban on a Debian 10 box. This has my own hand-written
iptables firewall and I have changed it to call f2b-sshd at an appropriate 
point.

However I notice that at the top of the INPUT chain this now exists:

f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 
22

So f2b-sshd is called for every incoming packet. I do not want this as I call
f2b-sshd elsewhere.

How do I stop this happening ?

Thanks in advance

I have a couple of other questions that I will ask separately.


Change the rule back and let the default rules set up their own iptables
rule.


Thanks for your reply.

The stuff below I am happy with, the chain f2b-sshd being created & populated.

What I did not want was fail2ban inserting something at the top of the INPUT
chain that calls f2b-sshd; I do not want it as I want to call f2b-sshd from
within my own chains.

I can delete the call to f2b-sshd at the top of INPUT ... but on restart/... it
will probably get replaced - that is what I want to stop.


Then have a look at /etc/fail2ban/action.d/iptables.conf and override 
anything you want to change in a /etc/fail2ban/action.d/iptables.local.


If you're doing that, I'd also remove the actionstart line:
    <iptables> -A f2b-<name> -j <returntype>

as it is the default action for a user-defined chain anyway if 
returntype = RETURN



Personally, I've given up on using iptables as the default rule and 
switched to iptables-ipset-proto6 which gives a simpler iptables set up 
and also ipset is far more efficient than big lists of iptables rules.



All the rule is is a jump to a chain called f2b-sshd. Then f2b will add its
bans to the f2b-sshd chain. There is no problem with all packets passing
through the f2b-sshd chain. At the end of the chain the packets, if not
dropped in the chain, return to go through the next rule in the INPUT chain.

Nick





_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to