Hello,
I wanted to use fail2ban with nftables, and I was surprise by the tool, not
really using nftables features, like sets,
for instance.
I had a look at the configuration, and I ended up using a simple wrapper
script, to keep the configuration file
readable.
========================================================================================================================
# Fail2Ban configuration file
#
# Author: Andre Rodier
# fail2ban action using nftable sets
#
[INCLUDES]
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban
# (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = /usr/local/sbin/fail2ban-nft-helper start '<name>'
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = /usr/local/sbin/fail2ban-nft-helper stop '<name>' '<port>'
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = /usr/local/sbin/fail2ban-nft-helper check '<name>' '<port>'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = /usr/local/sbin/fail2ban-nft-helper ban '<name>' '<ip>'
'<blocktype>'
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = /usr/local/sbin/fail2ban-nft-helper unban '<name>' '<ip>'
'<blocktype>'
[Init]
========================================================================================================================
Then, the script itself is using nftables features. It is simple and quickly
written, but it is working:
========================================================================================================================
#!/bin/sh
#
action=$1
if [ "$action" = "start" ]; then
name=$2
# Create the fail2ban filter if not existing,
# with a priority of -10 to run just before fitlers
nft 'add chain inet filter fail2ban { type filter hook input priority -10 ;
}'
nft add set inet filter "f2b-${name}-ipv4" '{ type ipv4_addr ; }'
nft add set inet filter "f2b-${name}-ipv6" '{ type ipv6_addr ; }'
nft inet filter fail2ban ip saddr "@f2b-${name}-ipv4" counter reject
nft inet filter fail2ban ip6 saddr "@f2b-${name}-ipv6" counter reject
exit
fi
if [ "$action" = "stop" ]; then
name=$2
port=$3
ipv4_handle=$(nft -a list ruleset | sed -En "s/.*@f2b-${name}-ipv4.*handle
([0-9]+)/\\1/p")
ipv6_handle=$(nft -a list ruleset | sed -En "s/.*@f2b-${name}-ipv6.*handle
([0-9]+)/\\1/p")
if [ "$ipv4_handle" != "" ]; then
nft delete rule inet filter fail2ban handle "$ipv4_handle"
elif [ "$ipv6_handle" != "" ]; then
nft delete rule inet filter fail2ban handle "$ipv6_handle"
else
echo "$0: rule handle not found for '$name'."
fi
exit
fi
if [ "$action" = "check" ]; then
name=$2
port=$3
nft list set inet filter "f2b-$name-ipv4"
nft list set inet filter "f2b-$name-ipv6"
exit
fi
if [ "$action" = "ban" ]; then
name=$2
ip=$3
type=$4
if echo "$ip" | grep -P '^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$'; then
nft add element inet filter "f2b-$name-ipv4" "{ $ip }"
else
nft add element inet filter "f2b-$name-ipv6" "{ $ip }"
fi
exit
fi
if [ "$action" = "unban" ]; then
name=$2
ip=$3
type=$4
if echo "$ip" | grep -P '^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$'; then
nft delete element inet filter "f2b-$name-ipv4" "{ $ip }"
else
nft delete element inet filter "f2b-$name-ipv6" "{ $ip }"
fi
exit
fi
========================================================================================================================
Any thought or remark ?
Kind regards,
André
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
