Fail2Ban 无法插入 iptables 规则

Fail2Ban 无法插入 iptables 规则

看来我的 fail2ban 无法禁止主机:

2013-06-22 18:18:24,546 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-apache-noscript returned 100
2013-06-22 18:18:24,546 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2013-06-22 18:18:24,869 fail2ban.actions.action: ERROR  iptables -D fail2ban-apache-noscript -s 185.13.228.98 -j DROP returned 100

当我手动使用该命令时,iptables 会抱怨:

# iptables -D fail2ban-apache-noscript -s 185.13.228.98 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).

尽管看起来该链确实存在:

# iptables -L -v -n
Chain INPUT (policy ACCEPT 412 packets, 36051 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   93  7257 fail2ban-apache  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80,443 
    0     0 fail2ban-sasl  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 25,465 
    0     0 fail2ban-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 25,465 
  311 27844 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 130 
   93  7257 fail2ban-apache-overflows  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80,443 
   93  7257 fail2ban-apache-multiport  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80,443 
  311 27844 fail2ban-ssh-ddos  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 130 
  406 35205 fail2ban-pam-generic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
   93  7257 fail2ban-apache-noscript  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80,443 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 296 packets, 105K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-apache (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93  7257 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-multiport (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93  7257 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-noscript (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93  7257 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-apache-overflows (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93  7257 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-pam-generic (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  406 35205 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-postfix (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-sasl (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  311 27844 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh-ddos (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  311 27844 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

问题是什么?!

答案1

您会注意到您尝试从中删除规则的链的配置:

Chain fail2ban-apache-noscript (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93  7257 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

除了“返回所有不匹配项”规则外,该链中根本没有要删除的规则。因此,fail2ban 试图移除的阻止已消失。

最有可能的是,您可以忽略此操作,因为命令的目标已经实现。由于您没有活动禁令,您可能只想运行/etc/init.d/fail2ban force-reload以清除其状态。

相关内容