0

I'm running a nginx web-server on a Raspberry Pi 4b running Bookworm. It seems to be running fine and IPTables/Fail2Ban seem to be catching potentially malicious traffic with my rules/jails.

Recently I wanted to add a new IPTables rule to block a specific IP address. I'm confused about exactly how I should go about making this change. I have an /etc/iptables/rules.v4 which is my initial IPTables rules configuration:

cat /etc/iptables/rules.v4 # Generated by xtables-save v1.8.2 on Sun Oct 30 22:42:45 2022 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,2222 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT -A INPUT -s 10.0.50.0/24 -p udp -m udp --dport 137 -j ACCEPT -A INPUT -s 10.0.50.0/24 -p udp -m udp --dport 138 -j ACCEPT -A INPUT -s 10.0.50.0/24 -p tcp -m tcp --dport 139 -j ACCEPT -A INPUT -s 10.0.50.0/24 -p tcp -m tcp --dport 445 -j ACCEPT -A INPUT -s 192.168.71.0/24 -p udp -m udp --dport 137 -j ACCEPT -A INPUT -s 192.168.71.0/24 -p udp -m udp --dport 138 -j ACCEPT -A INPUT -s 192.168.71.0/24 -p tcp -m tcp --dport 139 -j ACCEPT -A INPUT -s 192.168.71.0/24 -p tcp -m tcp --dport 445 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -s 192.168.71.0/24 -d 192.168.0.255/32 -p udp -m udp --dport 10102 -j DROP -A INPUT -s 192.168.71.0/24 -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j DROP -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -j ACCEPT COMMIT # Completed on Sun Oct 30 22:42:45 2022

When I do an IPTables -L command I see the "much expanded", Fail2Ban modified rules table. As I understand it when the server is rebooted the /etc/iptables/rules.v4 file is first loaded and then Fail2Ban adds its rules. Am I correct?

Using nano I manually added this rule

iptables -A INPUT -s 12.34.56.78 -j DROP

to /etc/iptables/rules.v4 before the

-A INPUT -m state...

line. And then rebooted but the resulting IPTables -L output did not seem to show the new "DROP" rule. Have I done something wrong? Thanks....RDK

Improve this question
2
  • Edit the question to show where and how you added the new rule Commented Sep 16 at 7:27
  • I have edited to question. Commented Sep 17 at 10:16

1 Answer 1

Reset to default
1

fail2ban usually puts its rules in a separate chain, iof you don't touch that there should be no problem

Improve this answer
1
  • As I understand it, on boot up IPTables loads the file from /etc/iptables/rules.v4 and then Fail2Ban updates it with the changes in it files? SO adding the line to the current/active IPTables rules file should not work after a reboot? Commented Sep 20 at 5:30

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.