--On Friday, August 02, 2019 3:31 PM -0500 Mike <[email protected]> wrote:
This is what I was thinking. I'm using CentOS 7. I believe it has
firewalld integrated. Admittedly, I know just enough to "get the job
done" and am not an expert in all the nuances of the tools. So I
sometimes don't understand which systems overlap or replace each other,
such as iptables, ipset, firewalld and various others. I've been doing a
bunch of research trying to figure out the best approach.
I'm using CentOS 7 as well. At the lowest level are iptables and ipsets,
which "run" in the kernel whenever a packet passes through the system.
Every packet passes through the iptables plumbing. ipsets perform a
member-of function. An iptables rule can ask an ipset if a source or
destination address is a member of an ipset.
Here's some diagrams that show the path that packets take through iptables:
<https://gist.github.com/nerdalert/a1687ae4da1cc44a437d>
firewalld is a system that installs its own set of iptables and ipsets and
dynamically manages them. It uses the iptables and ipsets commands to build
its firewall. fail2ban also creates a system of iptables and ipsets. It can
either do so directly with the same commands or it can use firewalld's
commands so that firewalld is aware of fail2ban's changes. If you use
firewalld, you should configure fail2ban to use firewalld and not directly
mess with iptables.
Note that you can use the iptables and ipset commands to view what fail2ban
and firewalld create. This is useful to understand how they work.
Specifically, I'm looking for the proper command to block an ipset list
from a select list of ports (basically all the interactive ones normally
reserved for clients like ftp, ssh, imap, pop3, etc).
iptables -I INPUT 1 -p tcp -m multiport --dports
ssh,submission,465,pop3,pop3s,imap,imaps,sieve -m set --match-set NonUS src
-m conntrack --ctstate NEW -j DROP
Some scripts to create the NonUS ipset using firewalld:
<https://gist.github.com/SpareSimian/c8475f140664e415fdc37b1073b563a1>
Then add the above iptables rule to your firewalld direct rules.
The only downside is whether to block ports 25/587? I need to be able
to occasionally tell if some legit mail gets blocked. That's probably
another level of protection to discuss separately?
Block 587 but not 25. Disallow authentication on port 25 in your MTA
config. For sendmail, this should be in your sendmail.mc:
DAEMON_OPTIONS(`Port=smtp, Name=MTA, M=EA')dnl
(The A in the M variable disallows authentication on port 25.)
One question I was wondering.. if you update IPs in IPSET, does it
automatically update the underlying iptables rule?
ipsets are hash tables in the kernel. Any program can use them, not just
iptables rules (which also live in the kernel). Updating an ipset happens
instantly, when the next packet arrives. There's no need to touch your
iptables rules that reference them.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
