Server Fault Asked by Chris Charles on November 29, 2021
I have some experience using iptables and fail2ban.
Both are working as they should, but I would like to optimize the way packets are “DROPed” when IP & port probing occur.
Fail2Ban is doing a good job of blocking IPs that are trying to access various ports (i.e. SSH, MySQL, etc).
However, once an IP is blocked on a specific port (i.e. port 22 for SSH), the HOST is still reachable via ICMP, even thought Fail2Ban has added a “DROP – all” condition to iptables.
I may be wrong, but I think it has to do with the order in which iptables is reading the Fail2Ban CHAIN.
This is what iptables -L
reveal (IPs and DNSs have been replaced):
user@ SERVER > iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- 10.10.10.1/25 anywhere
fail2ban-SSH all -- anywhere anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
fail2ban-SSH all -- anywhere anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain fail2ban-SSH (3 references)
target prot opt source destination
DROP all -- badip.baddomain.org anywhere
DROP all -- 299.299.299.11 anywhere
DROP all -- prober.hackers.com anywhere
RETURN all -- anywhere anywhere
As well, here is my iptables
file as a point of reference:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:fail2ban-SSH - [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
#
#
#
-A INPUT -j fail2ban-SSH
-A FORWARD -j fail2ban-SSH
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
As you can see, there is a line that ALLOWS ICMP:
ACCEPT icmp -- anywhere anywhere icmp any
This is done on purpose as I have a need for legitimate users to be able to ping certain servers.
You can see in my iptables file, I have added the “fail2ban-SSH” CHAIN ahead of the others in the hopes that it would get read before all other rules, but that did not work.
My goal would be to DROP ANY request from an IP that Fail2Ban has blocked for any reason, including ICMP requests.
Is there a way to configure iptables to read the Fail2Ban rules, before all other CHAINS and rules, so that I can truly block and IP on all ports & protocols?
If I understand your question correctly, IPs in your SSH jail should be blocked from all ports on the system and should not be able to ping you. All other IPs should be able to ping.
To ban an IP from all ports, you'll need to set up your SSH jail to use the iptables-allports action configuration. You can configure whether to use DROP, REJECT, etc. in /etc/fail2ban/action.d/iptables-blocktype.conf
[sshd]
enabled = true
action = iptables-allports[name=sshd]
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 300
bantime = 7200
If you also want to prevent this specific IP from pinging you while allowing anyone else who isn't in the SSH jail to ping, you will need to add another action to your SSH jail.
REJECT --reject-with icmp-host-prohibited
. Jails can have multiple actions, so directly below iptables-allports[name=sshd], list the name of your new action configuration file, iptables-blockping.conf.
This should work for your purposes - IPs in your SSH jail will have specific entries in iptables to reject ping requests. These rules will be read after your rule to allow pings.
Answered by user307414 on November 29, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP