Hello, Finn.
Maybe I have an issue with my version ?
Here what I have when I use fail2ban with nftables:
======================================================================
fail2ban-client set sshd banip 12.34.56.78
fail2ban-client set sshd banip 12.34.56.79
fail2ban-client set sshd banip 12.34.56.80
======================================================================
table inet filter {
[...] (My custom rules)
}
Then, I see this:
table ip filter {
chain f2b-sshd {
ip saddr 12.34.56.80 counter packets 0 bytes 0 reject
ip saddr 12.34.56.79 counter packets 0 bytes 0 reject
ip saddr 12.34.56.78 counter packets 0 bytes 0 reject
counter packets 94 bytes 6304 return
}
chain INPUT {
type filter hook input priority filter; policy accept;
meta l4proto tcp tcp dport 22 counter packets 94 bytes
6304 jump f2b-sshd
}
}
======================================================================
I am using Debian Bullseye
Kind regards,
André
On Saturday, December 03, 2022 23:34 GMT, fail2ban--- via Fail2ban-users
<fail2ban-users@lists.sourceforge.net> wrote: > Hi again André.
Sorry of course, sets needs to be created separately.
But fail2ban uses sets !! when more ip's are coming in it happens
automatically.
example from my current nft list ruleset :
table inet f2b-table {
set addr-set-spamdyke {
type ipv4_addr
elements = { 84.21.172.65, 191.37.160.60 }
}
I have sets in all my 'jails' in all my fail2ban nft setups, that gets
created when needed (nftables.conf) and depending on protocol the set is
created as ipv4 or ipv6 ! (though I don't use ipv6 yet and therefore
have no ipv6 sets).
Have I missed something - it's late here 😴
Cheers,
Finn
Den 03-12-2022 kl. 22:20 skrev Andre Rodier:
> On Sat, 2022-12-03 at 21:45 +0100, fail2ban--- via Fail2ban-users wrote:
>> Hi Andre.
>>
>> Why the distinguishing between ipv4 and ipv6 in our script when inet
>> sets up firewall for both in one line ? (the nice thing about nft)
>>
>> Regards,
>> Finn
>
> Thanks for the question, Finn.
>
> I use nftables sets to store the IP addresses, but even with nftables, I found no way to create a set that would contain
> both IPv4 and IPv6 addresses.
>
> Kind regards,
> André
>
>>
>> Den 03-12-2022 kl. 20:02 skrev Andre Rodier:
>>> Hello,
>>>
>>> I wanted to use fail2ban with nftables, and I was surprise by the tool, not
really using nftables features, like
>>> sets,
>>> for instance.
>>>
>>> I had a look at the configuration, and I ended up using a simple wrapper
script, to keep the configuration file
>>> readable.
>>>
>>>
====================================================================================================================
>>> ====
>>> # Fail2Ban configuration file
>>> #
>>> # Author: Andre Rodier
>>> # fail2ban action using nftable sets
>>> #
>>>
>>> [INCLUDES]
>>>
>>>
>>> [Definition]
>>>
>>> # Option: actionstart
>>> # Notes.: command executed on demand at the first ban
>>> # (or at the start of Fail2Ban if actionstart_on_demand is set to false).
>>> # Values: CMD
>>> #
>>> actionstart = /usr/local/sbin/fail2ban-nft-helper start '<name>'
>>>
>>> # Option: actionstop
>>> # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
>>> # Values: CMD
>>> #
>>> actionstop = /usr/local/sbin/fail2ban-nft-helper stop '<name>' '<port>'
>>>
>>> # Option: actioncheck
>>> # Notes.: command executed once before each actionban command
>>> # Values: CMD
>>> #
>>> actioncheck = /usr/local/sbin/fail2ban-nft-helper check '<name>' '<port>'
>>>
>>> # Option: actionban
>>> # Notes.: command executed when banning an IP. Take care that the
>>> # command is executed with Fail2Ban user rights.
>>> # Tags: See jail.conf(5) man page
>>> # Values: CMD
>>> #
>>> actionban = /usr/local/sbin/fail2ban-nft-helper ban '<name>' '<ip>'
'<blocktype>'
>>>
>>> # Option: actionunban
>>> # Notes.: command executed when unbanning an IP. Take care that the
>>> # command is executed with Fail2Ban user rights.
>>> # Tags: See jail.conf(5) man page
>>> # Values: CMD
>>> #
>>> actionunban = /usr/local/sbin/fail2ban-nft-helper unban '<name>' '<ip>'
'<blocktype>'
>>>
>>> [Init]
>>>
====================================================================================================================
>>> ====
>>>
>>>
>>>
>>> Then, the script itself is using nftables features. It is simple and
quickly written, but it is working:
>>>
>>>
====================================================================================================================
>>> ====
>>> #!/bin/sh
>>> #
>>>
>>> action=$1
>>>
>>> if [ "$action" = "start" ]; then
>>>
>>> name=$2
>>>
>>> # Create the fail2ban filter if not existing,
>>> # with a priority of -10 to run just before fitlers
>>> nft 'add chain inet filter fail2ban { type filter hook input priority
-10 ; }'
>>>
>>> nft add set inet filter "f2b-${name}-ipv4" '{ type ipv4_addr ; }'
>>> nft add set inet filter "f2b-${name}-ipv6" '{ type ipv6_addr ; }'
>>>
>>> nft inet filter fail2ban ip saddr "@f2b-${name}-ipv4" counter reject
>>> nft inet filter fail2ban ip6 saddr "@f2b-${name}-ipv6" counter reject
>>>
>>> exit
>>> fi
>>>
>>> if [ "$action" = "stop" ]; then
>>>
>>> name=$2
>>> port=$3
>>>
>>> ipv4_handle=$(nft -a list ruleset | sed -En "s/.*@f2b-${name}-ipv4.*handle
([0-9]+)/\\1/p")
>>> ipv6_handle=$(nft -a list ruleset | sed -En "s/.*@f2b-${name}-ipv6.*handle
([0-9]+)/\\1/p")
>>>
>>> if [ "$ipv4_handle" != "" ]; then
>>> nft delete rule inet filter fail2ban handle "$ipv4_handle"
>>> elif [ "$ipv6_handle" != "" ]; then
>>> nft delete rule inet filter fail2ban handle "$ipv6_handle"
>>> else
>>> echo "$0: rule handle not found for '$name'."
>>> fi
>>>
>>> exit
>>> fi
>>>
>>> if [ "$action" = "check" ]; then
>>>
>>> name=$2
>>> port=$3
>>>
>>> nft list set inet filter "f2b-$name-ipv4"
>>> nft list set inet filter "f2b-$name-ipv6"
>>>
>>> exit
>>> fi
>>>
>>> if [ "$action" = "ban" ]; then
>>>
>>> name=$2
>>> ip=$3
>>> type=$4
>>>
>>> if echo "$ip" | grep -P
'^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$'; then
>>> nft add element inet filter "f2b-$name-ipv4" "{ $ip }"
>>> else
>>> nft add element inet filter "f2b-$name-ipv6" "{ $ip }"
>>> fi
>>>
>>> exit
>>> fi
>>>
>>> if [ "$action" = "unban" ]; then
>>>
>>> name=$2
>>> ip=$3
>>> type=$4
>>>
>>> if echo "$ip" | grep -P
'^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$'; then
>>> nft delete element inet filter "f2b-$name-ipv4" "{ $ip }"
>>> else
>>> nft delete element inet filter "f2b-$name-ipv6" "{ $ip }"
>>> fi
>>>
>>> exit
>>> fi
>>>
>>>
====================================================================================================================
>>> ====
>>>
>>> Any thought or remark ?
>>>
>>> Kind regards,
>>> André
>>>
>>>
>>>
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>
>
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
"After sleeping through a hundred million centuries we have finally
opened our eyes on a sumptuous planet, sparkling with color, bountiful
with life. Within decades we must close our eyes again. Isn't it a
noble, an enlightened way of spending our brief time in the sun, to work
at understanding the universe and how we have come to wake up in it?"
[- Professor Richard Dawkins]
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
