Re: iptables - how to block established connections with fail2ban?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 2019-06-26 02:41, MRob wrote:
I am working to a CentOS 6 server with nonstandard iptables system
without rule for ACCEPT ESTABLISHED connections. All tables and chains
empty (flush by legacy custom script) so only filter/INPUT chain has
rules (also fail2ban chain):

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-postfix   tcp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02

Chain f2b-postfix (1 references)
target     prot opt source               destination
REJECT     all  --  200.23.235.30        0.0.0.0/0
reject-with icmp-port-unreachable
REJECT     all  --  177.11.167.57        0.0.0.0/0
reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

When fail2ban block a IP address, established connections are allowed
to continue, but with no rule to accept established connections how is
that possible? Why doesn't f2b first rule block established
connections?

The short answer is that the firewall rules REJECT...Fail2Ban only tells the firewall what to reject, at the point of entry.

Think of it this way:

Fail2Ban is the manager of a popular dance club. He determines the list of who may or may not be admitted to the club.

The firewall is the guy at the door of a popular club. He's doing his job, checking IDs, checking against the list of allowed or rejected guests and acting accordingly.

If the manager updates the list, it's not the door guy's job to go back through the club to find anyone who may have been admitted prior to the list having been updated. That's the job of a bouncer.

If you want the door guy to also be a bouncer, you'll need to configure your Fail2Ban actions to add iptables rules which invoke DROP instead of REJECT.

--
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux