我在结合使用 fail2ban 和 nftables 时遇到了问题。我的设置是“Debian 10 + fail2ban + nftables”。最后,如果有人被 fail2ban 禁止,则添加新规则会出现问题:
2020-09-15 17:38:26,078 fail2ban.utils [626]: Level 39 7fa684124198 -- exec: nft list chain inet fail2ban fail2ban | grep -q '@f2b-sshd[ \t]'
2020-09-15 17:38:26,078 fail2ban.utils [626]: ERROR 7fa684124198 -- stderr: 'Error: Could not process rule: No such file or directory'
2020-09-15 17:38:26,078 fail2ban.utils [626]: ERROR 7fa684124198 -- stderr: 'list chain inet fail2ban fail2ban'
2020-09-15 17:38:26,078 fail2ban.utils [626]: ERROR 7fa684124198 -- stderr: ' ^^^^^^^^'
2020-09-15 17:38:26,078 fail2ban.utils [626]: ERROR 7fa684124198 -- returned 1
我的 nftables.conf 如下所示
include "/etc/nftables/fail2ban.conf"
#!/usr/sbin/nft -f
# Start by flushing all the rules.
flush ruleset
# Define private IP for ssh access
define privateip = {77.56.188.228}
table inet filter {
# TCP ports to allow. (Allowed services: HTTP, HTTPS, SFTP)
set tcp_accepted {
type inet_service; flags interval;
elements = {
80,443,722
}
}
# TCP port for SSH service.
set ssh_accepted {
type inet_service; flags interval;
elements = {
721
}
}
# UDP ports to allow. (Allowed services: Teamspeak 3)
set udp_accepted {
type inet_service; flags interval;
elements = {
9987
}
}
chain input {
# This line set what traffic the chain will handle, the priority and default policy.
# The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
# Use a semicolon to separate multiple commands on one row.
type filter hook input priority 0; policy drop;
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop
# OBS! Rules with "limit" need to be put before rules accepting "established" connections.
# Allow all incomming established and related traffic. Drop invalid traffic.
ct state established,related accept
ct state invalid drop
# Allow loopback.
# Interfaces can by set with "iif" or "iifname" (oif/oifname). If the interface can come and go use "iifname", otherwise use "iif" since it performs better.
iif lo accept
# Drop all fragments.
ip frag-off & 0x1fff != 0 counter drop
# Force SYN checks.
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# Drop XMAS packets.
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
# Drop NULL packets.
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
# Allow certain inbound ICMP types (ping, traceroute).
# With these allowed you are a good network citizen.
# Without the nd-* ones ipv6 will not work.
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# Allow SSH for specific IP only
ip saddr $privateip tcp dport @ssh_accepted accept
tcp dport @ssh_accepted drop
# Allow needed tcp and udp ports.
tcp dport @tcp_accepted ct state new accept
udp dport @udp_accepted ct state new accept
}
chain forward {
type filter hook forward priority 0; policy drop;
# Forward all established and related traffic. Drop invalid traffic.
ct state established,related accept
ct state invalid drop
}
chain output {
type filter hook output priority 0; policy drop;
# Allow all outgoing traffic. Drop invalid traffic.
# ipv6 ICMP needs to be explicitly allowed here.
ip6 nexthdr ipv6-icmp accept
ct state new,established,related accept
ct state invalid drop
}
}
并且 fail2ban.conf 看起来像这样
#!/usr/sbin/nft -f
# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
chain input {
# Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
type filter hook input priority 100;
}
}
看起来该命令没有找到“fail2ban”表,但说实话,我不知道在哪里查找或修复该问题。如果您需要更多信息,请询问
答案1
fail2ban
您正在定义family 中的表ip
,但 fail2ban 期望fail2ban
family 中的表inet
(基本上意味着双栈)。由于它不存在,nftables 返回错误No such file or directory
。
该评论# Use ip as fail2ban doesn't support ipv6 yet
似乎有些过时了,因为 fail2ban 的当前版本都支持 IPv6,包括 Debian 10 中的版本。
但我认为还有其他地方出错了,因为 fail2ban 应该会自动创建 nftables 链和相关的 ipset。请检查您是否没有更改或删除 fail2ban 附带的文件action.d/nftables.conf
,或者用您自己的*.local
文件覆盖它。
还请检查至少有一个 jail 具有banaction = nftables
(任何类型),并且没有 jail 使用已弃用的nftables-multiport
或nftables-allports
。这些应该分别改为nftables[type=multiport]
或nftables[type=allports]
。