0

do i need firewalld for fail2ban to work?

Can fail2ban block IP's with iptables only?

I've installed iptables-service on a CentOS 8 vps. I use nftables v0.9.3 (Topsy) to restrict/grant access. Firewalld is stopped and not running, but I guess fail2ban needs firewalld to block ip's?

Thanks for any hint or idea about this question.

zippy-flop
  • 21
  • 4
  • 1
    Fail2ban works with iptables by default. However, installing fail2ban on CentOS 8 also installs fail2ban-firewalld (which changes that default) Even with a properly configured fail2ban jail, you won't see the expected results. fail2ban will log events as expected, but no traffic will be banned. I would suggest using fail2ban with iptables, but while you can find many articles on using iptables with failban to ban, there is little to no information on using firewalld with fail2ban and related configuration issues. – spacebiker Mar 21 '21 at 11:31
  • By default, fail2ban uses the [iptables interface](https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server) to block IP addresses. – berndbausch Mar 21 '21 at 11:33

2 Answers2

2

You can configure your fail2ban instance to specify which banning action it would use, thereby native net-filters are recommended (so firewalld is not advisable).
Which actions are available is depending on your fail2ban version, e. g. latest 0.10/0.11 have besides to several iptables also nftables action.
If you use nftables, it is also better to ban using nftables action (mostly iptables will just emulate nftables).

Also if your version is older (still does not have it), you can try to copy the latest version of action to /etc/fail2ban/action.d and try it.

To overwrite your defaults, simply set both banaction in default section of your jail.local:

[DEFAULT]
# default type of nftables is multiport: banaction = nftables[type=multiport]
banaction = nftables
banaction_allports = nftables[type=allports]
sebres
  • 1,100
  • 1
  • 5
  • 6
  • thank you so much. since fail2ban is new to me, i was not aware, that firewalld gets installed with fail2ban. I really would prefer workin with nftables only. I've set a couple of rules in my jail.local. Can I place the [DEFAULT] on top so every rule like [SSHD] or [apache] will use nftables? – zippy-flop Mar 23 '21 at 15:18
  • thanks for pointing me at "banaction". I think that's the missing part in my config. – zippy-flop Mar 23 '21 at 15:35
0

In addition to what serbes said, I must warn you.

It is true that fail2ban prefers raw iptables rather than ufw or firewalld or another higher-layer helper. But, if you have some rule saving/restoring mechanism (like netfilter-persistent in the Debian; I don't know how such thing is called in CentOS, sorry), there will be annoying catch. On restart, it will save fail2ban-added rules on the stop and restore them during startup, and fail2ban at the start will also add them again. So you'll end up with two identical fail2ban rule sets. On the next restart they will be multiplied again. And again.

This will not break things, but this somewhat obscures direct use of iptables. To conquer this you need to customise fail2ban actions. You need it to not install any firewall rules during jail startup, and then install these rules by hand and rely on your rule saving/restoring service. Also it's better to, say, set fail2ban to use ipset, and don't save ipsets by the rule saving service. This way everything will be clean.

Or, don't use rule saving/restoring service together with fail2ban.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • One can surely filter f2b-* chains. It is also possible to create own chain or table like F2B (in nftables it is already the case), add it to input, prerouting or whethever chain you may need, and adjust configuration of fail2ban to set `chain=F2B` in local-conf as well as config of *-persistent services to ignore F2B (chain or table), or to filter it somehow. No idea how it is possible in netfilter-persistent, but it is definitely the issue of this service(s) and not of fail2ban. – sebres Mar 21 '21 at 15:25
  • nftables v0.9.3 is not netfilter right? I thought nftables replaces iptables in CentOS 8. I really would like to work with nftables, but I don't see any chains from f2b in nftables. That's why I installed iptables again, but the chains don't show up. Neither in nftables nor in iptables. So that's why I tried firewalld (which really is an overkill). nftables uses a very simple set of rules on start. after that a script adds some more chains and rules to block some countries. so ideally, f2b creates a chain in nftables and blocks them on all ports. So I have to figure out the "banaction" – zippy-flop Mar 23 '21 at 15:26
  • As for "but the chains don't show up" - fail2ban does it on demand (by first ban), see https://github.com/fail2ban/fail2ban/issues/1755#issuecomment-295286513 (and you can specify `actionstart_on_demand = false` in action config or supply it as parameter to banaction in order to do this on start) – sebres Mar 24 '21 at 01:30