I'm cutting down my output because I don't want to give away too much
information. Make it not too easy for crackers ;-)
I do have these rules (at this moment, with no more banned ip's):
...
-A dynamic -s 58.218.198.169/32 -j reject
-A extrn-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j extrn-fw~
-A extrn-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A extrn-fw -p tcp -j tcpflags
-A extrn-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A extrn-fw -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
-A extrn-fw -p tcp -m tcp --dport 80 -m comment --comment Web -j ACCEPT
-A extrn-fw -p tcp -m tcp --dport 443 -m comment --comment Web -j ACCEPT
-A extrn-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j
ACCEPT
-A extrn-fw -j Drop
-A extrn-fw -j DROP
-A extrn-fw~ -s 37.187.71.201/32 -j DROP
-A extrn-fw~ -s 58.218.198.169/32 -j DROP
...
Those entries are made by shorewall. Shorewall adds banned ip's to the
dynamic chain.
What firewall are you using ? I don't have any f2b-* chains.
Thanks and regards,
Koenraad
Op 28/11/2018 om 9:54 schreef Nick Howitt:
Cutting down on the iptables output is not too helpful as you lose the
names of the chains that the rules belong to, but in this case you are
missing something with a "-p tcp -m multiport --dports 80,443 -j
dynamic" Mine would go in the INPUT chain but yours may be different.
I'm also not convinced about using the "dynamic" chain. Normally it
would be an "f2b-apache-noscript" chain as you should use a separate
chain for each jail. Can you restart f2b and look for errors setting up
the -j rules and the f2b chains?
On my system (ClearOS) a firewall restart wipes all the f2b rules so I
have to do some extra manipulation to re-add them on each restart.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
