I've been running fail2ban for a bit, and recently installed iptables-persistent
and am using it with ipset
for a blacklist (there's one particular IP that is always hammering away at this machine). The ipset
/iptables
persistency was a bit of work on Ubuntu, but that part seems to be working. My issue is now the following:
When I reboot the machine, my (relevant portion) iptables looks like this:
Chain INPUT (policy ACCEPT 682 packets, 84744 bytes)
pkts bytes target prot opt in out source destination
347 23254 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist src
347 23254 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain f2b-sshd (2 references)
pkts bytes target prot opt in out source destination
694 46508 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
With this, I noticed also that netfilter-persistent.service
was marked as "loaded failed failed"
by systemctl
even though it clearly loaded the rules files. I tried editing my fail2ban service to load AFTER netfilter-persistent, and now netfilter-persistent is marked as "loaded active exited"
…but the rules are still duplicated (apparently f2b creates the rules regardless of whether they already exist)
Manually editing this file each time I run iptables-save
to delete the f2b entries is probably an acceptable option (particularly given that the consequences aren't all the grave if I forget to do so), but I'm wondering if there's a better option?
Best Answer
One solution has already occurred to me, but it's...a little hackish imo. Create the following file and run it. It relies on the f2b entries--and no others--all having "f2b" in them, and this script being run rather than
iptables-save
directly...