On 28-12-16 17:16, Andrea wrote: >> >> >> On 28-12-16 16:04, Andrea wrote: >>> Hi all. >>> >>> I am trying to implement a custom ban action to integrate in my current >>> iptables setup. >>> I have created a dedicated chain in order to log connections at iptables >>> level and I would like for fail2ban to use it as well. >>> AFAIK what I have so far should work however it keeps giving me errors >>> in >>> the logfile: >>> >>> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR iptables >>> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100 >>> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR >>> Invariant >>> check failed. Trying to restore a sane environment >>> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: ERROR iptables >>> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100 >>> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: CRITICAL Unable >>> to >>> restore environment >>> >>> I don't need actionstart/actionstop since the chain is created in the >>> firewall script: >>> >>> /sbin/iptables -N BLOCKED_IP_LOG >>> /sbin/iptables -A BLOCKED_IP_LOG -j LOG -m limit --limit 10/min >>> --log-level 4 --log-prefix 'BLOCKED_IP_LOG: ' >>> /sbin/iptables -A BLOCKED_IP_LOG -j DROP >>> >>> This is my custom action configuration (derived from >>> iptables-multiport): >>> >>> root@hpsrv:/etc/fail2ban/action.d# cat iptables-custom.conf >>> >>> [INCLUDES] >>> >>> before = iptables-blocktype.conf >>> >>> [Definition] >>> >>> actionstart = >>> >>> actionstop = >>> >>> # Option: actioncheck >>> # Notes.: command executed once before each actionban command >>> # Values: CMD >>> # >>> actioncheck = iptables -n -L <chain> | grep -q 'BLOCKED_IP_LOG' >>> >>> # Option: actionban >>> # Notes.: command executed when banning an IP. Take care that the >>> # command is executed with Fail2Ban user rights. >>> # Tags: See jail.conf(5) man page >>> # Values: CMD >>> # >>> actionban = iptables -I <chain> 1 -s <ip> -j BLOCKED_IP_LOG >>> >>> # Option: actionunban >>> # Notes.: command executed when unbanning an IP. Take care that the >>> # command is executed with Fail2Ban user rights. >>> # Tags: See jail.conf(5) man page >>> # Values: CMD >>> # >>> actionunban = iptables -D <chain> -s <ip> -j BLOCKED_IP_LOG >>> >>> [Init] >>> >>> # Default name of the chain >>> # >>> name = default >>> >>> # Option: port >>> # Notes.: specifies port to monitor >>> # Values: [ NUM | STRING ] Default: >>> # >>> port = ssh >>> >>> # Option: protocol >>> # Notes.: internally used by config reader for interpolations. >>> # Values: [ tcp | udp | icmp | all ] Default: tcp >>> # >>> protocol = tcp >>> >>> # Option: chain >>> # Notes specifies the iptables chain to which the fail2ban rules >>> should be >>> # added >>> # Values: STRING Default: INPUT >>> chain = INPUT >>> >>> >>> What am I doing wrong? >> >> What happens when you run: >> /sbin/iptables -N BLOCKED_IP_LOG > > As I've mentioned in my previous mail, the chain is created at OS boot > when the firewall is initialized. > Hence BLOCKED_IP_LOG will exists before fail2ban starts. > >> and then run execute the failing f2b check command: >> >> iptables -n -L INPUT | grep -q 'BLOCKED_IP_LOG' > > The chain is not empty (a few rules are added on firewall init) but I > don't see why this should be an issue for fail2ban.
The above command is what is used by fail2ban as the actioncheck command, and it fails because the jump from INPUT to your custom chain is not there. This is the problem that f2b is reporting in the error log. You will need add that jump too in your firewall script, if you configure f2b to do nothing upon starting the jail (actionstart=<empty>). > >> >> You probably need to alter the "chain = INPUT" variable to your contain >> custom chain name. >> > > I'm afraid this will not work because what I need fail2ban to do is add > the rule to the default INPUT chain with jump to BLOCKED_IP_LOG where the > packets will be logged then dropped. > The <chain> parameter is correct. > > Andrea > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
