diff options
| author | sebres <serg.brester@sebres.de> | 2022-01-26 21:51:11 +0100 |
|---|---|---|
| committer | sebres <serg.brester@sebres.de> | 2022-01-26 21:51:11 +0100 |
| commit | 06d2623c5e243e11fd45bcc98cbd099c3973e597 (patch) | |
| tree | 36fa0aa4326433793aab5e194263852fab04db1e /config/action.d/iptables.conf | |
| parent | ffc9fb4aa6e620e7288fe7da4463f64cd5b0adf8 (diff) | |
| download | fail2ban-06d2623c5e243e11fd45bcc98cbd099c3973e597.tar.gz | |
iptables and iptables-ipset actions extended to support multiple protocols with single action for multiport or oneport type (back-ported from nftables action);
amend to gh-980 fixing several actions (correctly supporting new enhancements now)
Diffstat (limited to 'config/action.d/iptables.conf')
| -rw-r--r-- | config/action.d/iptables.conf | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 821a9ef1..67d496f5 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -23,13 +23,13 @@ actionflush = <iptables> -F f2b-<name> # Values: CMD # actionstart = { <iptables> -C f2b-<name> -j <returntype> >/dev/null 2>&1; } || { <iptables> -N f2b-<name> || true; <iptables> -A f2b-<name> -j <returntype>; } - { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; } + <_ipt_add_rules> # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # -actionstop = <iptables> -D <chain> %(_ipt_chain_rule)s +actionstop = <_ipt_del_rules> <actionflush> <iptables> -X f2b-<name> @@ -37,7 +37,7 @@ actionstop = <iptables> -D <chain> %(_ipt_chain_rule)s # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = <_ipt_check_rule> +actioncheck = <_ipt_check_rules> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -64,21 +64,36 @@ rule-jump = -j <_ipt_rule_target> # Several capabilities used internaly: +_ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do +_ipt_for_proto-done = done + +_ipt_add_rules = <_ipt_for_proto-iter> + { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; } + <_ipt_for_proto-done> + +_ipt_del_rules = <_ipt_for_proto-iter> + <iptables> -D <chain> %(_ipt_chain_rule)s + <_ipt_for_proto-done> + +_ipt_check_rules = <_ipt_for_proto-iter> + %(_ipt_check_rule)s + <_ipt_for_proto-done> + _ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule> _ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s _ipt_rule_target = f2b-<name> [ipt_oneport] -_chain_rule = -p <protocol> --dport <port> <rule-jump> +_chain_rule = -p $proto --dport <port> <rule-jump> [ipt_multiport] -_chain_rule = -p <protocol> -m multiport --dports <port> <rule-jump> +_chain_rule = -p $proto -m multiport --dports <port> <rule-jump> [ipt_allports] -_chain_rule = -p <protocol> <rule-jump> +_chain_rule = -p $proto <rule-jump> [Init] |