Subversion Repositories configs

Rev

Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
192 - 1 
# Fail2Ban configuration file
2 
#
3 
# Author: Daniel Black
4 
# Author: Cyril Jaquier
5 
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
6 
# 			made active on all ports from original iptables.conf
7 
# Modified: Alexander Belykh <albel727@ngs.ru>
8 
#                       adapted for nftables
9 
#
10 
# This is a included configuration file and includes the definitions for the nftables
11 
# used in all nftables based actions by default.
12 
#
13 
# The user can override the defaults in nftables-common.local
14 
# Example: redirect flow to honeypot
15 
#
16 
# [Init]
17 
# table_family = ip
18 
# chain_type = nat
19 
# chain_hook = prerouting
20 
# chain_priority = -50
21 
# blocktype = counter redirect to 2222
22 
 
23 
[INCLUDES]
24 
 
25 
after = nftables-common.local
26 
 
27 
[Definition]
28 
 
29 
# Option:  type
30 
# Notes.:  type of the action.
31 
# Values:  [ multiport | allports ]  Default: multiport
32 
#
33 
type = multiport
34 
 
35 
rule_match-custom =
36 
rule_match-allports = meta l4proto \{ <protocol> \}
37 
rule_match-multiport = $proto dport \{ $(echo '<port>' | sed s/:/-/g) \}
38 
match = <rule_match-<type>>
39 
 
40 
# Option:  rule_stat
41 
# Notes.:  statement for nftables filter rule.
42 
#          leaving it empty will block all (include udp and icmp)
43 
# Values:  nftables statement
44 
#
45 
rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>
46 
 
47 
# optional interator over protocol's:
48 
_nft_for_proto-custom-iter =
49 
_nft_for_proto-custom-done =
50 
_nft_for_proto-allports-iter =
51 
_nft_for_proto-allports-done =
52 
_nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
53 
_nft_for_proto-multiport-done = done
54 
 
55 
_nft_list = <nftables> -a list chain <table_family> <table> <chain>
56 
_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
57 
 
58 
_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
59 
              <_nft_for_proto-<type>-iter>
60 
              <nftables> add rule <table_family> <table> <chain> %(rule_stat)s
61 
              <_nft_for_proto-<type>-done>
62 
_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do
63 
               <nftables> delete rule <table_family> <table> <chain> $hdl; done
64 
              <nftables> delete set <table_family> <table> <addr_set>
65 
 
66 
# Option:  _nft_shutdown_table
67 
# Notes.:  command executed after the stop in order to delete table (it checks that no sets are available):
68 
# Values:  CMD
69 
#
70 
_nft_shutdown_table = { <nftables> list table <table_family> <table> | grep -qP '^\s+set\s+'; } || {
71 
                        <nftables> delete table <table_family> <table>
72 
                      }
73 
 
74 
# Option:  actionstart
75 
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
76 
# Values:  CMD
77 
#
78 
actionstart = <nftables> add table <table_family> <table>
79 
              <nftables> -- add chain <table_family> <table> <chain> \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
80 
              %(_nft_add_set)s
81 
 
82 
# Option:  actionflush
83 
# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action);
84 
#          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
85 
# Values:  CMD
86 
#
87 
actionflush = { <nftables> flush set <table_family> <table> <addr_set> 2> /dev/null; } || {
88 
              %(_nft_del_set)s
89 
              %(_nft_add_set)s
90 
              }
91 
 
92 
# Option:  actionstop
93 
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
94 
# Values:  CMD
95 
#
96 
actionstop = %(_nft_del_set)s
97 
             <_nft_shutdown_table>
98 
 
99 
# Option:  actioncheck
100 
# Notes.:  command executed once before each actionban command
101 
# Values:  CMD
102 
#
103 
actioncheck = <nftables> list chain <table_family> <table> <chain> | grep -q '@<addr_set>[ \t]'
104 
 
105 
# Option:  actionban
106 
# Notes.:  command executed when banning an IP. Take care that the
107 
#          command is executed with Fail2Ban user rights.
108 
# Tags:    See jail.conf(5) man page
109 
# Values:  CMD
110 
#
111 
actionban = <nftables> add element <table_family> <table> <addr_set> \{ <ip> \}
112 
 
113 
# Option:  actionunban
114 
# Notes.:  command executed when unbanning an IP. Take care that the
115 
#          command is executed with Fail2Ban user rights.
116 
# Tags:    See jail.conf(5) man page
117 
# Values:  CMD
118 
#
119 
actionunban = <nftables> delete element <table_family> <table> <addr_set> \{ <ip> \}
120 
 
121 
[Init]
122 
 
123 
# Option:  table
124 
# Notes.:  main table to store chain and sets (automatically created on demand)
125 
# Values:  STRING  Default: f2b-table
126 
table = f2b-table
127 
 
128 
# Option:  table_family
129 
# Notes.:  address family to work in
130 
# Values:  [ip | ip6 | inet]  Default: inet
131 
table_family = inet
132 
 
133 
# Option:  chain
134 
# Notes.:  main chain to store rules
135 
# Values:  STRING  Default: f2b-chain
136 
chain = f2b-chain
137 
 
138 
# Option:  chain_type
139 
# Notes.:  refers to the kind of chain to be created
140 
# Values:  [filter | route | nat]  Default: filter
141 
#
142 
chain_type = filter
143 
 
144 
# Option:  chain_hook
145 
# Notes.:  refers to the kind of chain to be created
146 
# Values:  [ prerouting | input | forward | output | postrouting ]  Default: input
147 
#
148 
chain_hook = input
149 
 
150 
# Option:  chain_priority
151 
# Notes.:  priority in the chain.
152 
# Values:  NUMBER  Default: -1
153 
#
154 
chain_priority = -1
155 
 
156 
# Option:  addr_type
157 
# Notes.:  address type to work with
158 
# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr
159 
#
160 
addr_type = ipv4_addr
161 
 
162 
# Default name of the filtering set
163 
#
164 
name = default
165 
 
166 
# Option:  port
167 
# Notes.:  specifies port to monitor
168 
# Values:  [ NUM | STRING ]  Default:
169 
#
170 
port = ssh
171 
 
172 
# Option:  protocol
173 
# Notes.:  internally used by config reader for interpolations.
174 
# Values:  [ tcp | udp ] Default: tcp
175 
#
176 
protocol = tcp
177 
 
178 
# Option:  blocktype
179 
# Note:    This is what the action does with rules. This can be any jump target
180 
#          as per the nftables man page (section 8). Common values are drop,
181 
#          reject, reject with icmpx type host-unreachable, redirect to 2222
182 
# Values:  STRING
183 
blocktype = reject
184 
 
185 
# Option:  nftables
186 
# Notes.:  Actual command to be executed, including common to all calls options
187 
# Values:  STRING
188 
nftables = nft
189 
 
190 
# Option: addr_set
191 
# Notes.: The name of the nft set used to store banned addresses
192 
# Values: STRING
193 
addr_set = addr-set-<name>
194 
 
195 
# Option: addr_family
196 
# Notes.: The family of the banned addresses
197 
# Values: [ ip | ip6 ]
198 
addr_family = ip
199 
 
200 
[Init?family=inet6]
201 
addr_family = ip6
202 
addr_type = ipv6_addr
203 
addr_set = addr6-set-<name>