Re: iptables - how to block established connections with fail2ban?

Bowie Bailey <Bowie_Bailey@xxxxxxx> · Fri, 28 Jun 2019 10:58:42 -0400

On 6/26/2019 2:41 AM, MRob wrote:
> I am working to a CentOS 6 server with nonstandard iptables system without rule for
> ACCEPT ESTABLISHED connections. All tables and chains empty (flush by legacy custom
> script) so only filter/INPUT chain has rules (also fail2ban chain):
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> f2b-postfix   tcp  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
>
> Chain f2b-postfix (1 references)
> target     prot opt source               destination
> REJECT     all  --  200.23.235.30        0.0.0.0/0           reject-with
> icmp-port-unreachable
> REJECT     all  --  177.11.167.57        0.0.0.0/0           reject-with
> icmp-port-unreachable
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
>
> When fail2ban block a IP address, established connections are allowed to continue,
> but with no rule to accept established connections how is that possible? Why
> doesn't f2b first rule block established connections?

The way I solved this problem was using conntrack.  I added entries to the fail2ban
action to delete connections where the source or destination matched the IP I was
trying to block.  This results in all communications from that IP being dropped
immediately.  I used a .local file to redefine the actionban.  It looks like this:

$ cat firewallcmd-allports.local
[Definition]
actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s <ip> -j
<blocktype>
            (conntrack -D -s <ip>; exit 0)
            (conntrack -D -d <ip>; exit 0)

You have to install the conntrack-tools package to use the conntrack command, but I
don't remember having to do anything else to make it work.

-- 
Bowie
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos