ENH: add <chain> to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@771 a942ae1a-1317-0410-a47c-b1dcaea8d605

5 files changed, 41 insertions, 15 deletions

diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf
index 123bac69..1cc2daba 100644
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@@ -15,13 +15,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
               iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -p <protocol> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
              iptables -F fail2ban-<name>
              iptables -X fail2ban-<name>
 
@@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -63,3 +63,8 @@ name = default
 #
 protocol = tcp
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf
index 3b4621db..9cdc4bab 100644
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@@ -5,7 +5,7 @@
 #
 # make "fail2ban-<name>" chain to match drop IP
 # make "fail2ban-<name>-log" chain to log and drop
-# insert a jump to fail2ban-<name> from -I INPUT if proto/port match
+# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
 #
 # $Revision$
 #
@@ -18,7 +18,7 @@
 #
 actionstart = iptables -N fail2ban-<name>
               iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
               iptables -N fail2ban-<name>-log
               iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
               iptables -A fail2ban-<name>-log -j DROP
@@ -27,7 +27,7 @@ actionstart = iptables -N fail2ban-<name>
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
              iptables -F fail2ban-<name>
              iptables -F fail2ban-<name>-log
              iptables -X fail2ban-<name>
@@ -76,3 +76,9 @@ port = ssh
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf
index fe3712d5..ad554f5c 100644
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@@ -13,13 +13,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
               iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
              iptables -F fail2ban-<name>
              iptables -X fail2ban-<name>
 
@@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fai
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -67,3 +67,8 @@ port = ssh
 #
 protocol = tcp
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf
index 373826c2..c249de2d 100644
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@@ -15,13 +15,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
               iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+              iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
              iptables -F fail2ban-<name>
              iptables -X fail2ban-<name>
 
@@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -69,3 +69,8 @@ port = ssh
 #
 protocol = tcp
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf
index daef9267..09cfb98b 100644
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@@ -13,13 +13,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
               iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
              iptables -F fail2ban-<name>
              iptables -X fail2ban-<name>
 
@@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -67,3 +67,8 @@ port = ssh
 #
 protocol = tcp
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT