Hi again André.
Sorry of course, sets needs to be created separately.
But fail2ban uses sets !! when more ip's are coming in it happens
automatically.
example from my current nft list ruleset :
table inet f2b-table {
set addr-set-spamdyke {
type ipv4_addr
elements = { 84.21.172.65, 191.37.160.60 }
}
I have sets in all my 'jails' in all my fail2ban nft setups, that gets
created when needed (nftables.conf) and depending on protocol the set is
created as ipv4 or ipv6 ! (though I don't use ipv6 yet and therefore
have no ipv6 sets).
Have I missed something - it's late here 😴
Cheers,
Finn
Den 03-12-2022 kl. 22:20 skrev Andre Rodier:
On Sat, 2022-12-03 at 21:45 +0100, fail2ban--- via Fail2ban-users wrote:
Hi Andre.
Why the distinguishing between ipv4 and ipv6 in our script when inet
sets up firewall for both in one line ? (the nice thing about nft)
Regards,
Finn
Thanks for the question, Finn.
I use nftables sets to store the IP addresses, but even with nftables, I found
no way to create a set that would contain
both IPv4 and IPv6 addresses.
Kind regards,
André
Den 03-12-2022 kl. 20:02 skrev Andre Rodier:
Hello,
I wanted to use fail2ban with nftables, and I was surprise by the tool, not
really using nftables features, like
sets,
for instance.
I had a look at the configuration, and I ended up using a simple wrapper
script, to keep the configuration file
readable.
====================================================================================================================
====
# Fail2Ban configuration file
#
# Author: Andre Rodier
# fail2ban action using nftable sets
#
[INCLUDES]
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban
# (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = /usr/local/sbin/fail2ban-nft-helper start '<name>'
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = /usr/local/sbin/fail2ban-nft-helper stop '<name>' '<port>'
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = /usr/local/sbin/fail2ban-nft-helper check '<name>' '<port>'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = /usr/local/sbin/fail2ban-nft-helper ban '<name>' '<ip>'
'<blocktype>'
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = /usr/local/sbin/fail2ban-nft-helper unban '<name>' '<ip>'
'<blocktype>'
[Init]
====================================================================================================================
====
Then, the script itself is using nftables features. It is simple and quickly
written, but it is working:
====================================================================================================================
====
#!/bin/sh
#
action=$1
if [ "$action" = "start" ]; then
name=$2
# Create the fail2ban filter if not existing,
# with a priority of -10 to run just before fitlers
nft 'add chain inet filter fail2ban { type filter hook input priority -10
; }'
nft add set inet filter "f2b-${name}-ipv4" '{ type ipv4_addr ; }'
nft add set inet filter "f2b-${name}-ipv6" '{ type ipv6_addr ; }'
nft inet filter fail2ban ip saddr "@f2b-${name}-ipv4" counter reject
nft inet filter fail2ban ip6 saddr "@f2b-${name}-ipv6" counter reject
exit
fi
if [ "$action" = "stop" ]; then
name=$2
port=$3
ipv4_handle=$(nft -a list ruleset | sed -En "s/.*@f2b-${name}-ipv4.*handle
([0-9]+)/\\1/p")
ipv6_handle=$(nft -a list ruleset | sed -En "s/.*@f2b-${name}-ipv6.*handle
([0-9]+)/\\1/p")
if [ "$ipv4_handle" != "" ]; then
nft delete rule inet filter fail2ban handle "$ipv4_handle"
elif [ "$ipv6_handle" != "" ]; then
nft delete rule inet filter fail2ban handle "$ipv6_handle"
else
echo "$0: rule handle not found for '$name'."
fi
exit
fi
if [ "$action" = "check" ]; then
name=$2
port=$3
nft list set inet filter "f2b-$name-ipv4"
nft list set inet filter "f2b-$name-ipv6"
exit
fi
if [ "$action" = "ban" ]; then
name=$2
ip=$3
type=$4
if echo "$ip" | grep -P '^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$';
then
nft add element inet filter "f2b-$name-ipv4" "{ $ip }"
else
nft add element inet filter "f2b-$name-ipv6" "{ $ip }"
fi
exit
fi
if [ "$action" = "unban" ]; then
name=$2
ip=$3
type=$4
if echo "$ip" | grep -P '^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$';
then
nft delete element inet filter "f2b-$name-ipv4" "{ $ip }"
else
nft delete element inet filter "f2b-$name-ipv6" "{ $ip }"
fi
exit
fi
====================================================================================================================
====
Any thought or remark ?
Kind regards,
André
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
"After sleeping through a hundred million centuries we have finally
opened our eyes on a sumptuous planet, sparkling with color, bountiful
with life. Within decades we must close our eyes again. Isn't it a
noble, an enlightened way of spending our brief time in the sun, to work
at understanding the universe and how we have come to wake up in it?"
[- Professor Richard Dawkins]
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
