Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for nftables #1

Open
jarobase opened this issue Aug 15, 2019 · 2 comments
Open

Add support for nftables #1

jarobase opened this issue Aug 15, 2019 · 2 comments

Comments

@jarobase
Copy link

Iptables now support nftables and it could be useful to support it.
@bcambl
Copy link
Owner

bcambl commented Aug 31, 2019

Good idea, Thanks for the suggestion!

@jarobase
Copy link
Author

jarobase commented Sep 1, 2019

Actually, I have created the following nftables-common.local:

[INCLUDES]

after = nftables-common.local

[Definition]

nftables_mode = <protocol> dport \{ <port> \}
actionstart = <nftables> add set <nftables_family> <nftables_table> <set_name> \{ type <nftables_type>\; \}
              # BUG INPUT IS NOT RECOGNIZED
              <nftables> insert rule <nftables_family> <nftables_table> INPUT %(nftables_mode)s <address_family> saddr @<set_name> <blocktype>
              <nftables> add chain <nftables_family> <nftables_table> f2b-BLACKLIST
              <nftables> add set <nftables_family> <nftables_table>  f2b-BLACKLIST \{ type <nftables_type>\; \}
              <nftables> add rule <nftables_family> <nftables_table> f2b-BLACKLIST counter return
              <nftables> insert rule <nftables_family> <nftables_table> INPUT <protocol> dport 1-65535 counter jump f2b-BLACKLIST
_nft_list = <nftables> --handle --numeric list chain <nftables_family> <nftables_table> INPUT

actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s)
             <nftables> delete rule <nftables_family> <nftables_table> INPUT $HANDLE_ID
             <nftables> delete set <nftables_family> <nftables_table> <set_name>
             <nftables> flush chain <nftables_family> <nftables_table> f2b-BLACKLIST
             <nftables> delete chain <nftables_family> <nftables_table> f2b-BLACKLIST
actioncheck = <nftables> list chain <nftables_family> <nftables_table> INPUT | grep -q '@<set_name>[ \t]'
actionban = <nftables> add element <nftables_family> <nftables_table> <set_name> \{ <ip> \}
            /usr/bin/python /etc/fail2ban/blacklist.py <ip>
actionunban = <nftables> delete element <nftables_family> <nftables_table> <set_name> \{ <ip> \}

[Init]

nftables_type = ipv4_addr
nftables_family = ip
nftables_table = filter
chain = INPUT
name = default
port = ssh
protocol = tcp
blocktype = reject
nftables = nft
set_name = f2b-<name>
address_family = ip
#IPV6
[Init?family=inet6]
nftables_type = ipv6_addr
set_name = f2b-<name>6
address_family = ip6
nftables_family = ip6
#chain = INPUT

It's not perfect but it's a beginning. I had problem when using the key word so in use INPUT. I did not modified nftables-allports.conf:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <[email protected]>
#                       made active on all ports from original iptables.conf
# Modified: Alexander Belykh <[email protected]>
#                       adapted for nftables
#

[INCLUDES]
before = nftables-common.local
[Definition]

nftables_mode = meta l4proto <protocol>

I hope this can help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bcambl @jarobase