首页 > Linux防火墙iptables > YAD – Centos 7 IPtables IPset and Fail2ban

YAD – Centos 7 IPtables IPset and Fail2ban

2016年11月17日

YAD – Centos 7 IPtables IPset and Fail2ban

 http://namsep.blogspot.hk/2015/12/yad-centos-7-iptables-ipset-and-fail2ban.html
Yet Another Draft

Securing Centos 7 with IPtables, IPset and Fail2ban.

Purpose
This is written for simple setup’s such as cloud servers. It makes detected actions by fail2ban be put to IPtables in an IPset list. Though fail2ban can do this by it self, the IPset list is not permanent and fail2ban needs to rescan the logs upon restart. This setup also allows other tools / scripts to add IP’s to the IPsets to be blocked permanently.

Why IPtables?
Running a firewall on servers is in my opinion way easier with IPtables then it is with firewallD. It’s not using zones and other complexity that you would like for a laptop or other mobile device but don’t want with a basic (web) server.

Why IPset?
IPset is way faster then adding many IP’s to the IPtables, it also keeps things readable.

The issue with IPset is (was) that settings are not saved, upon restarting your server the IPtables would fail because it references a matchlist that no longer exists, resulting in having no running firewall.

However, there is some code written by the Centos guys that solves this issue and hopefully will become mainstream.

https://bugzilla.redhat.com/show_bug.cgi?id=1136257#c16

In this post i will apply these configurations for IPv4 and IPv6 together. Even when you don’t use IPv6 it is still good to do because if your ISP enables IPv6 you might not notice and have not the same protection as with IPv4.

Replacing the default FirewallD firewall with IPtables
yum -y install iptables-services
systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables

Creating IPset as an service
vim /etc/systemd/system/ipset.service
paste contents of: http://pkgs.fedoraproject.org/cgit/ipset.git/tree/ipset.service

Creating the code the service runs on
mkdir /usr/libexec/ipset/
vim /usr/libexec/ipset/ipset.start-stop
past contents of: http://pkgs.fedoraproject.org/cgit/ipset.git/tree/ipset.start-stop
chmod +x /usr/libexec/ipset/ipset.start-stop

Creating the config / save file for IPset
systemctl enable ipset.service
mkdir /etc/ipset
touch /etc/ipset/ipset

Changing IPtables to save the config upon stopping and restarting.
vim /etc/syconfig/iptables-config
IPTABLES_SAVE_ON_STOP=”yes”
IPTABLES_SAVE_ON_RESTART=”yes”

Note:
Changing these IPtables values require you to make changes to the running firewall instead of editing the iptables file and restarting because upon stopping these changes are overwritten with the running config. You can stop the firewall and make changes to the file and then start it again. The syntax is slightly different.

Creating the IPsets
Create IPset’s to block IPv4 and IPv6 offenders, these sets must have unique names. The temporary blocks (1 hour , 3600 seconds) are for fail2ban to put an offender on that list. If the IP repeats eg 2 times then fail2ban can move it over to the indefinite list.

ipset create Block-Indefinite-4 hash:ip hashsize 4096
ipset create Block-Temporary-4 hash:ip hashsize 4096 timeout 3600

ipset create Block-Indefinite-6 hash:net hashsize 4096 family inet6
ipset create Block-Temporary-6 hash:net hashsize 4096 family inet6 timeout 3600

The IPv6 list hashes on NET instead of IP as with IPv6 you would like to block an subnet (/64). This is because the client can easily generate a new privacy address and thus try again. Creating a new subnet is for an average a lot more work, but for spammers this would not be such an issue. They should be banned on eg /48. No solutions for that at this moment.

Link IPset lists to IPtables
iptables -I INPUT 1 -p tcp -m set –match-set Block-Indefinite-4 src -m tcp -j DROP
iptables -I INPUT 2 -p tcp -m set –match-set Block-Temporary-4 src -m tcp -j DROP
ip6tables -I INPUT 1 -p tcp -m set –match-set Block-Indefinite-6 src -m tcp -j DROP
ip6tables -I INPUT 2 -p tcp -m set –match-set Block-Temporary-6 src -m tcp -j DROP

Putting these rules at position 1 and 2 is to make sure that when an attacker is detected and put to the blocklist it will be effective immediately instead of the next time due to “related or established session”.

As mentioned in the title, this is a draft post. But for now any IP added to the IPset is permanently stored.

Fail2ban

> Yet to be looked at.

* Use the -exist option to prevent messages on IP’s that are already in the list.
*

本文的评论功能被关闭了.