On Sat, 2022-12-03 at 21:45 +0100, fail2ban--- via Fail2ban-users wrote:
> Hi Andre.
>
> Why the distinguishing between ipv4 and ipv6 in our script when inet
> sets up firewall for both in one line ? (the nice thing about nft)
>
> Regards,
> Finn
Thanks for the question, Finn.
I use nftables sets to store the IP addresses, but even with nftables, I found
no way to create a set that would contain
both IPv4 and IPv6 addresses.
Kind regards,
André
>
> Den 03-12-2022 kl. 20:02 skrev Andre Rodier:
> > Hello,
> >
> > I wanted to use fail2ban with nftables, and I was surprise by the tool, not
> > really using nftables features, like
> > sets,
> > for instance.
> >
> > I had a look at the configuration, and I ended up using a simple wrapper
> > script, to keep the configuration file
> > readable.
> >
> > ====================================================================================================================
> > ====
> > # Fail2Ban configuration file
> > #
> > # Author: Andre Rodier
> > # fail2ban action using nftable sets
> > #
> >
> > [INCLUDES]
> >
> >
> > [Definition]
> >
> > # Option: actionstart
> > # Notes.: command executed on demand at the first ban
> > # (or at the start of Fail2Ban if actionstart_on_demand is set to false).
> > # Values: CMD
> > #
> > actionstart = /usr/local/sbin/fail2ban-nft-helper start '<name>'
> >
> > # Option: actionstop
> > # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
> > # Values: CMD
> > #
> > actionstop = /usr/local/sbin/fail2ban-nft-helper stop '<name>' '<port>'
> >
> > # Option: actioncheck
> > # Notes.: command executed once before each actionban command
> > # Values: CMD
> > #
> > actioncheck = /usr/local/sbin/fail2ban-nft-helper check '<name>' '<port>'
> >
> > # Option: actionban
> > # Notes.: command executed when banning an IP. Take care that the
> > # command is executed with Fail2Ban user rights.
> > # Tags: See jail.conf(5) man page
> > # Values: CMD
> > #
> > actionban = /usr/local/sbin/fail2ban-nft-helper ban '<name>' '<ip>'
> > '<blocktype>'
> >
> > # Option: actionunban
> > # Notes.: command executed when unbanning an IP. Take care that the
> > # command is executed with Fail2Ban user rights.
> > # Tags: See jail.conf(5) man page
> > # Values: CMD
> > #
> > actionunban = /usr/local/sbin/fail2ban-nft-helper unban '<name>' '<ip>'
> > '<blocktype>'
> >
> > [Init]
> > ====================================================================================================================
> > ====
> >
> >
> >
> > Then, the script itself is using nftables features. It is simple and
> > quickly written, but it is working:
> >
> > ====================================================================================================================
> > ====
> > #!/bin/sh
> > #
> >
> > action=$1
> >
> > if [ "$action" = "start" ]; then
> >
> > name=$2
> >
> > # Create the fail2ban filter if not existing,
> > # with a priority of -10 to run just before fitlers
> > nft 'add chain inet filter fail2ban { type filter hook input priority
> > -10 ; }'
> >
> > nft add set inet filter "f2b-${name}-ipv4" '{ type ipv4_addr ; }'
> > nft add set inet filter "f2b-${name}-ipv6" '{ type ipv6_addr ; }'
> >
> > nft inet filter fail2ban ip saddr "@f2b-${name}-ipv4" counter reject
> > nft inet filter fail2ban ip6 saddr "@f2b-${name}-ipv6" counter reject
> >
> > exit
> > fi
> >
> > if [ "$action" = "stop" ]; then
> >
> > name=$2
> > port=$3
> >
> > ipv4_handle=$(nft -a list ruleset | sed -En
> > "s/.*@f2b-${name}-ipv4.*handle ([0-9]+)/\\1/p")
> > ipv6_handle=$(nft -a list ruleset | sed -En
> > "s/.*@f2b-${name}-ipv6.*handle ([0-9]+)/\\1/p")
> >
> > if [ "$ipv4_handle" != "" ]; then
> > nft delete rule inet filter fail2ban handle "$ipv4_handle"
> > elif [ "$ipv6_handle" != "" ]; then
> > nft delete rule inet filter fail2ban handle "$ipv6_handle"
> > else
> > echo "$0: rule handle not found for '$name'."
> > fi
> >
> > exit
> > fi
> >
> > if [ "$action" = "check" ]; then
> >
> > name=$2
> > port=$3
> >
> > nft list set inet filter "f2b-$name-ipv4"
> > nft list set inet filter "f2b-$name-ipv6"
> >
> > exit
> > fi
> >
> > if [ "$action" = "ban" ]; then
> >
> > name=$2
> > ip=$3
> > type=$4
> >
> > if echo "$ip" | grep -P '^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$';
> > then
> > nft add element inet filter "f2b-$name-ipv4" "{ $ip }"
> > else
> > nft add element inet filter "f2b-$name-ipv6" "{ $ip }"
> > fi
> >
> > exit
> > fi
> >
> > if [ "$action" = "unban" ]; then
> >
> > name=$2
> > ip=$3
> > type=$4
> >
> > if echo "$ip" | grep -P '^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$';
> > then
> > nft delete element inet filter "f2b-$name-ipv4" "{ $ip }"
> > else
> > nft delete element inet filter "f2b-$name-ipv6" "{ $ip }"
> > fi
> >
> > exit
> > fi
> >
> > ====================================================================================================================
> > ====
> >
> > Any thought or remark ?
> >
> > Kind regards,
> > André
> >
> >
> >
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
