> > > On 28-12-16 16:04, Andrea wrote: >> Hi all. >> >> I am trying to implement a custom ban action to integrate in my current >> iptables setup. >> I have created a dedicated chain in order to log connections at iptables >> level and I would like for fail2ban to use it as well. >> AFAIK what I have so far should work however it keeps giving me errors >> in >> the logfile: >> >> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR iptables >> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100 >> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR >> Invariant >> check failed. Trying to restore a sane environment >> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: ERROR iptables >> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100 >> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: CRITICAL Unable >> to >> restore environment >> >> I don't need actionstart/actionstop since the chain is created in the >> firewall script: >> >> /sbin/iptables -N BLOCKED_IP_LOG >> /sbin/iptables -A BLOCKED_IP_LOG -j LOG -m limit --limit 10/min >> --log-level 4 --log-prefix 'BLOCKED_IP_LOG: ' >> /sbin/iptables -A BLOCKED_IP_LOG -j DROP >> >> This is my custom action configuration (derived from >> iptables-multiport): >> >> root@hpsrv:/etc/fail2ban/action.d# cat iptables-custom.conf >> >> [INCLUDES] >> >> before = iptables-blocktype.conf >> >> [Definition] >> >> actionstart = >> >> actionstop = >> >> # Option: actioncheck >> # Notes.: command executed once before each actionban command >> # Values: CMD >> # >> actioncheck = iptables -n -L <chain> | grep -q 'BLOCKED_IP_LOG' >> >> # Option: actionban >> # Notes.: command executed when banning an IP. Take care that the >> # command is executed with Fail2Ban user rights. >> # Tags: See jail.conf(5) man page >> # Values: CMD >> # >> actionban = iptables -I <chain> 1 -s <ip> -j BLOCKED_IP_LOG >> >> # Option: actionunban >> # Notes.: command executed when unbanning an IP. Take care that the >> # command is executed with Fail2Ban user rights. >> # Tags: See jail.conf(5) man page >> # Values: CMD >> # >> actionunban = iptables -D <chain> -s <ip> -j BLOCKED_IP_LOG >> >> [Init] >> >> # Default name of the chain >> # >> name = default >> >> # Option: port >> # Notes.: specifies port to monitor >> # Values: [ NUM | STRING ] Default: >> # >> port = ssh >> >> # Option: protocol >> # Notes.: internally used by config reader for interpolations. >> # Values: [ tcp | udp | icmp | all ] Default: tcp >> # >> protocol = tcp >> >> # Option: chain >> # Notes specifies the iptables chain to which the fail2ban rules >> should be >> # added >> # Values: STRING Default: INPUT >> chain = INPUT >> >> >> What am I doing wrong? > > What happens when you run: > /sbin/iptables -N BLOCKED_IP_LOG
As I've mentioned in my previous mail, the chain is created at OS boot when the firewall is initialized. Hence BLOCKED_IP_LOG will exists before fail2ban starts. > and then run execute the failing f2b check command: > > iptables -n -L INPUT | grep -q 'BLOCKED_IP_LOG' The chain is not empty (a few rules are added on firewall init) but I don't see why this should be an issue for fail2ban. > > You probably need to alter the "chain = INPUT" variable to your contain > custom chain name. > I'm afraid this will not work because what I need fail2ban to do is add the rule to the default INPUT chain with jump to BLOCKED_IP_LOG where the packets will be logged then dropped. The <chain> parameter is correct. Andrea ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
