Are fail2ban chans supposed to be saved in the iptables config in weming?

h2ojunkie · June 6, 2019, 11:35pm

I know that by default, webmin iptables shows you the config file, and not any “temporary” rules running in iPTables. And yes, I know there is an option to change the module config so you can edit the iptable rules directly allowing you to see all currently running rules/chains/etc.

What I don’t know, is what is the “expected” behavior of fail2ban in webmin’s IP tables config.

i.e. Should all of the fail2ban chains be saved to the iptables config, or should the fail2ban chains only be in the active rules (i.e. you wouldn’t see the chains when editing the iptables config in webmin, but you can see the fail2ban chains from CLI when viewing the iptables active rule set.

Here’s a screen shot of the iptables INPUT config on 2 servers that have identical fail2ban configurations (same active jails/filters/config/etc.)

Fail2Ban is running on both…viewing the active rules from cli with iptables -L shows the active iptables ruleset is identical. The only differnence is on the left side, the fail2ban chains aren’t saved in the webmin iptables config file, and on the right side those fail2ban chains are saved in the webmin iptables config.

Which one is the correct/right/most secure way for it to be?

Thanks!

https://content.screencast.com/users/h2ojunkie/folders/Jing/media/9577c812-c88e-484b-925b-f130dcfbc9c9/2019-06-06_1628.png

Eric · June 7, 2019, 12:40am

Howdy,

Fail2ban is just using the system iptables or firewalld, depending on the distro.

To my knowledge, systems using iptables do not automatically save rules that are running in memory upon reboot… the iptables save script “iptables-save” needs to be run to keep them.

With Firewalld, it depends on whether the “–permanent” flag is passed in when Fail2ban adds the rule – if it’s not, it wouldn’t be saved across a reboot. A quick glance at the default configs suggests that’s probably not being passed in – but I suspect that could be tweaked in the Fail2ban configs (in /etc/fail2ban/action.d).

-Eric

h2ojunkie · June 8, 2019, 12:48am

Sorry, I should have stated I’m not using firewallD.

I know you have to explictly flush iptables rules to disk for them to show up in config. I’m just not sure which is actually the correct way to do things (and how webmin works together with fail2ban and iptables).

For example: When you start (or restart) fail2ban, every time it inserts the chains it needs into iptables running in memory. So, if at some point you had uses iptables-save while fail2ban is running, those in-memory rules get saved to the iptables config.

So the first time you “iptables-save” you end up with one set of the fail2ban chains in the iptables save file

Those chains are in the config, and will load every time you load the iptables config from webmin

If you come along and make changes/edits to fail2ban (or reboot the server for that matter) this happens:

iptables starts and loads up the fail2ban chains you had saved previously
fail2ban starts, and duplicates those chains running in iptables memory…so now you have a running list of IPtables rules with duplicate fail2ban chains

If you make any other changes that require you to do iptables-save, you’ve now saved double the chains for fail2ban, and every time you start iptables, you get 2 sets of chains from the iptables config, and then when fail2ban starts, a 3rd set of fail2ban chains are added in memory…and this goes on and on.

I thought of just clearing all the fail2ban chains out of the IP-tables save file…but if you clear the fail2ban chains from the iptable save file, and for some reason iptables get’s restarted for any reason, it wouldn’t have those required chains in the save file, meaning you’d have fail2ban running, but without the chains it needs to actually run/work…so you would have to remember to also restart fail2ban any time you restart iptables to make sure fail2ban’s chains are running in memory.

It’s not like the duplicate chains hurt anything, they jsut build up over time from running iptables-save. So while I was clearing out duplicates it got me wondering what the best practices method is. Keep one set of the chains in the iptables config so you know the chains will always be there, or just let fail2ban start the required chains when it boots up.