Fail2Ban does not ban, issues with iptables I guess

[katit]

SELinux disabled on this machine. Asterisk does not run with SELinux

[giulix63]

Nasty... So, what happens if you run the command yourself from a root prompt?

Code: Select all

firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -p udp -m multiport --dports 5060,5061 -m set --match-set fail2ban-asterisk-udp src -j REJECT --reject

[katit]

Here is what I get:

Code: Select all

[root@localhost ~]# firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -p udp -m multiport --dports 5060,5061 -m set --match-set fail2ban-asterisk-udp src -j REJECT --reject
Warning: NOT_ENABLED
[root@localhost ~]#

I wonder maybe its a problem due to the fact that OS shutting down?

[giulix63]

That's just a message saying the rule could not be found. At this point, double check your configuration. Fail2Ban should create iptables rules in chain INPUT_direct; Yours is trying to purge rules from chain INPUT and apparently cannot find them.

[katit]

Ok. I got it running, however there is something in "reboot" process. First of all, CentOS7 base install does not have ipset enabled. So, all those commands look like they run but there is no banning taking place.

After I run this, everything works properly.

Code: Select all

# Is IPsec enabled?
firewall-cmd --zone=public --query-service=ipsec
	
# No? Then enable it:
firewall-cmd --zone=public --add-service=ipsec
	
# and next reboot too:
firewall-cmd --permanent --zone=public --add-service=ipsec

When I do systemctl restart fail2ban it also runs fine with no error or warning in log.

It's when I do reboot I get those errors in fail2ban.log. I guess no big deal, but just don't feel "right".


Also, I don't understand why not use "rich rules" built into firewall-cmd ?

[giulix63]

The use of ipsec is peculiar to your network topology, I presume, while ipset is a fail2ban dependence. As for the other questions, they will need to be addressed to the fail2ban maintainers, I guess.