Fail2ban + nftables = stderr:“错误:无法处理规则:没有这样的文件或目录”

Fail2ban + nftables = stderr:“错误:无法处理规则:没有这样的文件或目录”

我在结合使用 fail2ban 和 nftables 时遇到了问题。我的设置是“Debian 10 + fail2ban + nftables”。最后,如果有人被 fail2ban 禁止,则添加新规则会出现问题:

2020-09-15 17:38:26,078 fail2ban.utils          [626]: Level 39 7fa684124198 -- exec: nft list chain inet fail2ban fail2ban | grep -q '@f2b-sshd[ \t]'
2020-09-15 17:38:26,078 fail2ban.utils          [626]: ERROR   7fa684124198 -- stderr: 'Error: Could not process rule: No such file or directory'
2020-09-15 17:38:26,078 fail2ban.utils          [626]: ERROR   7fa684124198 -- stderr: 'list chain inet fail2ban fail2ban'
2020-09-15 17:38:26,078 fail2ban.utils          [626]: ERROR   7fa684124198 -- stderr: '                ^^^^^^^^'
2020-09-15 17:38:26,078 fail2ban.utils          [626]: ERROR   7fa684124198 -- returned 1

我的 nftables.conf 如下所示

include "/etc/nftables/fail2ban.conf"

#!/usr/sbin/nft -f

# Start by flushing all the rules.
flush ruleset

# Define private IP for ssh access
define privateip = {77.56.188.228}

table inet filter {
    # TCP ports to allow. (Allowed services: HTTP, HTTPS, SFTP)
    set tcp_accepted {
        type inet_service; flags interval;
        elements = {
        80,443,722
        }
    }
    # TCP port for SSH service.
    set ssh_accepted {
        type inet_service; flags interval;
        elements = {
        721
        }
    }
    # UDP ports to allow. (Allowed services: Teamspeak 3)
    set udp_accepted {
        type inet_service; flags interval;
        elements = {
        9987
        }
    }
    chain input {
        # This line set what traffic the chain will handle, the priority and default policy.
        # The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
        # Use a semicolon to separate multiple commands on one row.
        type filter hook input priority 0; policy drop;

        # Limit ping requests.
        ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop

        # OBS! Rules with "limit" need to be put before rules accepting "established" connections.
        # Allow all incomming established and related traffic. Drop invalid traffic.
        ct state established,related accept
        ct state invalid drop

        # Allow loopback.
        # Interfaces can by set with "iif" or "iifname" (oif/oifname). If the interface can come and go use "iifname", otherwise use "iif" since it performs better.
        iif lo accept

        # Drop all fragments.
        ip frag-off & 0x1fff != 0 counter drop

        # Force SYN checks.
        tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop

        # Drop XMAS packets.
        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop

        # Drop NULL packets.
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop

        # Allow certain inbound ICMP types (ping, traceroute).
        # With these allowed you are a good network citizen.
        # Without the nd-* ones ipv6 will not work.
        ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept      
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept

        # Allow SSH for specific IP only
        ip saddr $privateip tcp dport @ssh_accepted accept
        tcp dport @ssh_accepted drop

        # Allow needed tcp and udp ports.
        tcp dport @tcp_accepted ct state new accept
        udp dport @udp_accepted ct state new accept
    }
    chain forward {
        type filter hook forward priority 0; policy drop;

        # Forward all established and related traffic. Drop invalid traffic.
        ct state established,related accept
        ct state invalid drop
    }
    chain output {
        type filter hook output priority 0; policy drop;

        # Allow all outgoing traffic. Drop invalid traffic.
        # ipv6 ICMP needs to be explicitly allowed here.
        ip6 nexthdr ipv6-icmp accept
        ct state new,established,related accept
        ct state invalid drop
    }
}

并且 fail2ban.conf 看起来像这样

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;
        }
}

看起来该命令没有找到“fail2ban”表,但说实话,我不知道在哪里查找或修复该问题。如果您需要更多信息,请询问

答案1

fail2ban您正在定义family 中的表ip,但 fail2ban 期望fail2banfamily 中的表inet(基本上意味着双栈)。由于它不存在,nftables 返回错误No such file or directory

该评论# Use ip as fail2ban doesn't support ipv6 yet似乎有些过时了,因为 fail2ban 的当前版本都支持 IPv6,包括 Debian 10 中的版本。

但我认为还有其他地方出错了,因为 fail2ban 应该会自动创建 nftables 链和相关的 ipset。请检查您是否没有更改或删除 fail2ban 附带的文件action.d/nftables.conf,或者用您自己的*.local文件覆盖它。

还请检查至少有一个 jail 具有banaction = nftables(任何类型),并且没有 jail 使用已弃用的nftables-multiportnftables-allports。这些应该分别改为nftables[type=multiport]nftables[type=allports]

相关内容