diff options
author | Yaroslav Halchenko <debian@onerussian.com> | 2011-03-23 20:36:41 +0000 |
---|---|---|
committer | Yaroslav Halchenko <debian@onerussian.com> | 2011-03-23 20:36:41 +0000 |
commit | 3831fbf98b87fed2f5882e3190e10dfa0dd0e55c (patch) | |
tree | 402ea17d6e731decc9f65fe01a9eca1b8128760c /config/action.d | |
parent | 6558c03f8e138eaadcb2fa4b6bc93dad737a71fd (diff) | |
download | fail2ban-3831fbf98b87fed2f5882e3190e10dfa0dd0e55c.tar.gz |
ENH: add <chain> to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@771 a942ae1a-1317-0410-a47c-b1dcaea8d605
Diffstat (limited to 'config/action.d')
-rw-r--r-- | config/action.d/iptables-allports.conf | 11 | ||||
-rw-r--r-- | config/action.d/iptables-multiport-log.conf | 12 | ||||
-rw-r--r-- | config/action.d/iptables-multiport.conf | 11 | ||||
-rw-r--r-- | config/action.d/iptables-new.conf | 11 | ||||
-rw-r--r-- | config/action.d/iptables.conf | 11 |
5 files changed, 41 insertions, 15 deletions
diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index 123bac69..1cc2daba 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> -j fail2ban-<name> + iptables -I <chain> -p <protocol> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name> # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -63,3 +63,8 @@ name = default # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 3b4621db..9cdc4bab 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -5,7 +5,7 @@ # # make "fail2ban-<name>" chain to match drop IP # make "fail2ban-<name>-log" chain to log and drop -# insert a jump to fail2ban-<name> from -I INPUT if proto/port match +# insert a jump to fail2ban-<name> from -I <chain> if proto/port match # # $Revision$ # @@ -18,7 +18,7 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -N fail2ban-<name>-log iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -A fail2ban-<name>-log -j DROP @@ -27,7 +27,7 @@ actionstart = iptables -N fail2ban-<name> # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -F fail2ban-<name>-log iptables -X fail2ban-<name> @@ -76,3 +76,9 @@ port = ssh # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index fe3712d5..ad554f5c 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fai # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 373826c2..c249de2d 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> + iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -69,3 +69,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index daef9267..09cfb98b 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> + iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT |