From 25e901ea73ecf5ca025e1143a2ffd7304731cda1 Mon Sep 17 00:00:00 2001 From: Davide Guerri Date: Sun, 26 Jun 2022 20:36:11 +0100 Subject: [PATCH] Fail2ban can use legacy iptables On some appliance (e.g. QNAP NAS') nftables n docker is not available. Thsi commit adds FAIL2BAN_LEGACY_IPTABLES environment variable to allow configuring fail2ban to use iptables-legacy. --- Dockerfile | 5 ++++- docs/content/config/environment.md | 8 ++++++++ mailserver.env | 5 +++++ target/scripts/startup/setup-stack.sh | 5 +++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0dc63b2f0e2..cbcd44ac2c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,7 +55,7 @@ RUN \ dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-pop3d \ dovecot-sieve dovecot-solr dumb-init \ # E - O - ed fetchmail file gamin gnupg gzip iproute2 \ + ed fetchmail file gamin gnupg gzip iproute2 iptables \ locales logwatch lhasa libdate-manip-perl libldap-common liblz4-tool \ libmail-spf-perl libnet-dns-perl libsasl2-modules lrzip lzop \ netcat-openbsd nftables nomarch opendkim opendkim-tools opendmarc \ @@ -78,6 +78,9 @@ RUN \ echo "ERROR: Wrong GPG fingerprint!" >&2; exit 1; fi && \ dpkg -i fail2ban.deb 2>&1 && \ rm fail2ban.deb fail2ban.deb.asc && \ + # allow legacy iptables to be configured via FAIL2BAN_LEGACY_IPTABLES + update-alternatives --set iptables /usr/sbin/iptables-legacy && \ + update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy && \ # cleanup apt-get -qq autoremove && \ apt-get -qq autoclean && \ diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md index 600c334ce02..97e9915b9fc 100644 --- a/docs/content/config/environment.md +++ b/docs/content/config/environment.md @@ -112,6 +112,14 @@ Otherwise, `nftables` won't be able to ban IPs. - reject => reject packet (send ICMP unreachable) FAIL2BAN_BLOCKTYPE=drop +##### FAIL2BAN_LEGACY_IPTABLES + +Enable legacy iptables firewall. Useful when docker is running on some type of appliance (e.g. QNAP NAS) + +- **0** => use nftables +- 1 => use iptables-legacy +FAIL2BAN_LEGACY_IPTABLES=0 + ##### SMTP_ONLY - **empty** => all daemons start diff --git a/mailserver.env b/mailserver.env index dc577928e27..573991cbd4d 100644 --- a/mailserver.env +++ b/mailserver.env @@ -126,6 +126,11 @@ ENABLE_FAIL2BAN=0 # reject => reject packet (send ICMP unreachable) FAIL2BAN_BLOCKTYPE=drop +# Fail2Ban use legacy iptables +# **0** => use nftables +# 1 => use iptables-legacy +FAIL2BAN_LEGACY_IPTABLES=0 + # 1 => Enables Managesieve on port 4190 # empty => disables Managesieve ENABLE_MANAGESIEVE= diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 9d84e67d606..a0c39c6fb67 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -1070,6 +1070,11 @@ function _setup_fail2ban echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local fi + if [[ ${FAIL2BAN_LEGACY_IPTABLES} -eq 1 ]] + then + sed -i 's/banaction = nftables-allports/banaction = iptables-allports/' /etc/fail2ban/jail.local + fi + echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf }