Loading fail2ban rules to iptables using iptables-persistent
5,429
Don't bother. fail2ban maintains its own state and will recreate its firewall rules when restarted.
Related videos on Youtube
![Firze](https://i.stack.imgur.com/OfEJE.png?s=256&g=1)
Author by
Firze
Updated on September 18, 2022Comments
-
Firze almost 2 years
I am using iptables-persistent package to reload my iptables on boot. And I have been thinking should I add the fail2ban rules to the loaded config file? Now I am seeing they are duplicated.
This is my firewall config:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh # Accepts SSH connection -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # HTTP -A INPUT -p tcp --dport 80 -j ACCEPT # SSH -A INPUT -p tcp --dport 22 -j ACCEPT # MariaDB (private network) -A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT # loopback device -I INPUT 1 -i lo -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Drops all remaining traffic -A INPUT -j DROP -A fail2ban-ssh -j RETURN COMMIT
The fail2ban lines are duplicated when I reboot and run iptables -S:
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -j DROP -A fail2ban-ssh -j RETURN -A fail2ban-ssh -j RETURN
So should I remove those 2 fail2ban lines from my config?
-
Tobi over 6 yearsanyone have any other ideas on this? I'm using persistent rules for a reason, so that has to stay in play. I'm looking at script-removing the f2b rules from the saved/persistent config, or some way to tell F2B to create it's chains and add rules to INPUT iff they don't already exist . . .?
-
-
Firze about 9 yearsSo does this mean I am not supposed to add any fail2ban firewall rules and I should remove them from the config file?
-
Michael Hampton about 9 yearsRight, you don't need them there at all. fail2ban will add them when it starts up.