Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed
# Fail2Ban action file for firewall-cmd/ipset## This requires:# ipset (package: ipset)# firewall-cmd (package: firewalld)## This is for ipset protocol 6 (and hopefully later) (ipset v6.14).# Use ipset -V to see the protocol and version.## IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.## If you are running on an older kernel you make need to patch in external# modules.[INCLUDES]before = iptables-blocktype.conf[Definition]actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>ipset flush fail2ban-<name>ipset destroy fail2ban-<name>actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -existactionunban = ipset del fail2ban-<name> <ip> -exist[Init]# Default name of the chain#name = default# Option: port# Notes.: specifies port to monitor# Values: [ NUM | STRING ]#port = ssh# Option: protocol# Notes.: internally used by config reader for interpolations.# Values: [ tcp | udp | icmp | all ]#protocol = tcp# Option: chain# Notes specifies the iptables chain to which the fail2ban rules should be# added# Values: [ STRING ]#chain = INPUT_direct# Option: bantime# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)# Values: [ NUM ] Default: 600bantime = 600# DEV NOTES:## Author: Edgar Hoch and Daniel Black# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness