Re: [Fail2ban-users] Using fail2ban with nftables

[fail2ban--- via Fail2ban-users]

Hi Andre.

Why the distinguishing between ipv4 and ipv6 in our script when inet 
sets up firewall for both in one line ? (the nice thing about nft)

Regards,
Finn

Den 03-12-2022 kl. 20:02 skrev Andre Rodier:
Hello,

I wanted to use fail2ban with nftables, and I was surprise by the tool, not 
really using nftables features, like sets,
for instance.

I had a look at the configuration, and I ended up using a simple wrapper 
script, to keep the configuration file
readable.

========================================================================================================================
# Fail2Ban configuration file
#
# Author: Andre Rodier
# fail2ban action using nftable sets
#

[INCLUDES]


[Definition]

# Option:  actionstart
# Notes.:  command executed on demand at the first ban
# (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart = /usr/local/sbin/fail2ban-nft-helper start '<name>'

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop = /usr/local/sbin/fail2ban-nft-helper stop '<name>' '<port>'

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = /usr/local/sbin/fail2ban-nft-helper check '<name>' '<port>'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = /usr/local/sbin/fail2ban-nft-helper ban '<name>' '<ip>' 
'<blocktype>'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = /usr/local/sbin/fail2ban-nft-helper unban '<name>' '<ip>' 
'<blocktype>'

[Init]
========================================================================================================================



Then, the script itself is using nftables features. It is simple and quickly 
written, but it is working:

========================================================================================================================
#!/bin/sh
#

action=$1

if [ "$action" = "start" ]; then

     name=$2

     # Create the fail2ban filter if not existing,
     # with a priority of -10 to run just before fitlers
     nft 'add chain inet filter fail2ban { type filter hook input priority -10 
; }'

     nft add set inet filter "f2b-${name}-ipv4" '{ type ipv4_addr ; }'
     nft add set inet filter "f2b-${name}-ipv6" '{ type ipv6_addr ; }'

     nft inet filter fail2ban ip saddr "@f2b-${name}-ipv4" counter reject
     nft inet filter fail2ban ip6 saddr "@f2b-${name}-ipv6" counter reject

     exit
fi

if [ "$action" = "stop" ]; then

     name=$2
     port=$3

     ipv4_handle=$(nft -a list ruleset | sed -En "s/.*@f2b-${name}-ipv4.*handle 
([0-9]+)/\\1/p")
     ipv6_handle=$(nft -a list ruleset | sed -En "s/.*@f2b-${name}-ipv6.*handle 
([0-9]+)/\\1/p")

     if [ "$ipv4_handle" != "" ]; then
         nft delete rule inet filter fail2ban handle "$ipv4_handle"
     elif [ "$ipv6_handle" != "" ]; then
         nft delete rule inet filter fail2ban handle "$ipv6_handle"
     else
         echo "$0: rule handle not found for '$name'."
     fi

     exit
fi

if [ "$action" = "check" ]; then

     name=$2
     port=$3

     nft list set inet filter "f2b-$name-ipv4"
     nft list set inet filter "f2b-$name-ipv6"

     exit
fi

if [ "$action" = "ban" ]; then

     name=$2
     ip=$3
     type=$4

     if echo "$ip" | grep -P '^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$'; then
         nft add element inet filter "f2b-$name-ipv4" "{ $ip }"
     else
         nft add element inet filter "f2b-$name-ipv6" "{ $ip }"
     fi

     exit
fi

if [ "$action" = "unban" ]; then

     name=$2
     ip=$3
     type=$4

     if echo "$ip" | grep -P '^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$'; then
         nft delete element inet filter "f2b-$name-ipv4" "{ $ip }"
     else
         nft delete element inet filter "f2b-$name-ipv6" "{ $ip }"
     fi

     exit
fi

========================================================================================================================

Any thought or remark ?

Kind regards,
André



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

--
"After sleeping through a hundred million centuries we have finally 
opened our eyes on a sumptuous planet, sparkling with color, bountiful 
with life. Within decades we must close our eyes again. Isn't it a 
noble, an enlightened way of spending our brief time in the sun, to work 
at understanding the universe and how we have come to wake up in it?"
[- Professor Richard Dawkins]


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users