thr3ads.net - CentOS - [CentOS] iptables - how to block established connections with fail2ban? [Jun 2019]

If this information is useful, please help other people find it:
Share via:

MRob

2019-Jun-26 06:41 UTC

[CentOS] iptables - how to block established connections with fail2ban?

I am working to a CentOS 6 server with nonstandard iptables system 
without rule for ACCEPT ESTABLISHED connections. All tables and chains 
empty (flush by legacy custom script) so only filter/INPUT chain has 
rules (also fail2ban chain):

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-postfix   tcp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
flags:0x17/0x02

Chain f2b-postfix (1 references)
target     prot opt source               destination
REJECT     all  --  200.23.235.30        0.0.0.0/0           reject-with 
icmp-port-unreachable
REJECT     all  --  177.11.167.57        0.0.0.0/0           reject-with 
icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

When fail2ban block a IP address, established connections are allowed to 
continue, but with no rule to accept established connections how is that 
possible? Why doesn't f2b first rule block established connections?

Mike Burger

2019-Jun-26 14:50 UTC

head link

[CentOS] iptables - how to block established connections with fail2ban?

On 2019-06-26 02:41, MRob wrote:> I am working to a CentOS 6 server with nonstandard iptables system
> without rule for ACCEPT ESTABLISHED connections. All tables and chains
> empty (flush by legacy custom script) so only filter/INPUT chain has
> rules (also fail2ban chain):
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> f2b-postfix   tcp  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0
> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> dpt:587
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> dpt:993
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> dpt:995
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> flags:0x17/0x02
> 
> Chain f2b-postfix (1 references)
> target     prot opt source               destination
> REJECT     all  --  200.23.235.30        0.0.0.0/0
> reject-with icmp-port-unreachable
> REJECT     all  --  177.11.167.57        0.0.0.0/0
> reject-with icmp-port-unreachable
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> 
> When fail2ban block a IP address, established connections are allowed
> to continue, but with no rule to accept established connections how is
> that possible? Why doesn't f2b first rule block established
> connections?
The short answer is that the firewall rules REJECT...Fail2Ban only tells 
the firewall what to reject, at the point of entry.

Think of it this way:

Fail2Ban is the manager of a popular dance club. He determines the list 
of who may or may not be admitted to the club.

The firewall is the guy at the door of a popular club. He's doing his 
job, checking IDs, checking against the list of allowed or rejected 
guests and acting accordingly.

If the manager updates the list, it's not the door guy's job to go back 
through the club to find anyone who may have been admitted prior to the 
list having been updated. That's the job of a bouncer.

If you want the door guy to also be a bouncer, you'll need to configure 
your Fail2Ban actions to add iptables rules which invoke DROP instead of 
REJECT.

-- 
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1

Roberto Ragusa

2019-Jun-27 07:51 UTC

head link

[CentOS] iptables - how to block established connections with fail2ban?

On 6/26/19 8:41 AM, MRob wrote:> I am working to a CentOS 6 server with nonstandard iptables system without
rule for ACCEPT ESTABLISHED connections. All tables and chains empty (flush by
legacy custom script) so only filter/INPUT chain has rules (also fail2ban
chain):
> 
> Chain INPUT (policy ACCEPT)
> target???? prot opt source?????????????? destination
> f2b-postfix?? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0
[...]> Chain f2b-postfix (1 references)
> target     prot opt source               destination
> REJECT     all  --  200.23.235.30        0.0.0.0/0           reject-with
icmp-port-unreachable
> REJECT     all  --  177.11.167.57        0.0.0.0/0           reject-with
icmp-port-unreachable
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
[...]> When fail2ban block a IP address, established connections are allowed to
continue, but with no rule to accept established connections how is that
possible? Why doesn't f2b first rule block established connections?
The first rule should indeed block traffic for the established connections too.
It matches tcp only, are your connections really on tcp (and ipv4)?

Try adding the "-v" option to iptables so you can see the packet
counters.
Do some experiments and check if the counters grow or not
when you expect packets to be dropped.

Regards.

-- 
    Roberto Ragusa    mail at robertoragusa.it

Gordon Messmer

2019-Jun-27 21:59 UTC

head link

[CentOS] iptables - how to block established connections with fail2ban?

On 6/25/19 11:41 PM, MRob wrote:> When fail2ban block a IP address, established connections are allowed 
> to continue, but with no rule to accept established connections how is 
> that possible?

It doesn't look like it would be.

1: Open a connection that will demonstrate the problem later.
2: Trigger a block from an address that you control.
3: Check the output of "iptables -L -v" to demonstrate that the
address
is blocked.
4: Use "tcpdump -nn -i any host <address>" to watch traffic from
that
address.
5: Send a command over the connection from step 1.? tcpdump should show 
packets in both directions, and your session should be usable, according 
to the problem you described.
6: Check the output of "iptables -L -v" again and look at the counters
on each rule to see which rule is being matched.

Bowie Bailey

2019-Jun-28 14:58 UTC

head link

[CentOS] iptables - how to block established connections with fail2ban?

On 6/26/2019 2:41 AM, MRob wrote:> I am working to a CentOS 6 server with nonstandard iptables system without
rule for
> ACCEPT ESTABLISHED connections. All tables and chains empty (flush by
legacy custom
> script) so only filter/INPUT chain has rules (also fail2ban chain):
>
> Chain INPUT (policy ACCEPT)
> target???? prot opt source?????????????? destination
> f2b-postfix?? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0
> ACCEPT???? all? --? 192.168.0.0/16?????? 0.0.0.0/0
> ACCEPT???? all? --? 127.0.0.0/8????????? 0.0.0.0/0
> ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp dpt:22
> ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp dpt:25
> ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp dpt:80
> ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp dpt:443
> ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp dpt:587
> ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp dpt:993
> ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp dpt:995
> DROP?????? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? tcp
flags:0x17/0x02
>
> Chain f2b-postfix (1 references)
> target???? prot opt source?????????????? destination
> REJECT???? all? --? 200.23.235.30??????? 0.0.0.0/0?????????? reject-with
> icmp-port-unreachable
> REJECT???? all? --? 177.11.167.57??????? 0.0.0.0/0?????????? reject-with
> icmp-port-unreachable
> RETURN???? all? --? 0.0.0.0/0??????????? 0.0.0.0/0
>
> When fail2ban block a IP address, established connections are allowed to
continue,
> but with no rule to accept established connections how is that possible?
Why
> doesn't f2b first rule block established connections?
The way I solved this problem was using conntrack.? I added entries to the
fail2ban
action to delete connections where the source or destination matched the IP I
was
trying to block.? This results in all communications from that IP being dropped
immediately.? I used a .local file to redefine the actionban.? It looks like
this:

$ cat firewallcmd-allports.local
[Definition]
actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s
<ip> -j
<blocktype>
??????????? (conntrack -D -s <ip>; exit 0)
??????????? (conntrack -D -d <ip>; exit 0)

You have to install the conntrack-tools package to use the conntrack command,
but I
don't remember having to do anything else to make it work.

-- 
Bowie

Maybe Matching Threads

Search for more apparently analagous threads

CentOS - Jun 2019 - iptables - how to block established connections with fail2ban?

[CentOS] iptables - how to block established connections with fail2ban?

[CentOS] iptables - how to block established connections with fail2ban?

[CentOS] iptables - how to block established connections with fail2ban?

[CentOS] iptables - how to block established connections with fail2ban?

[CentOS] iptables - how to block established connections with fail2ban?

Maybe Matching Threads