Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fail2ban can use legacy iptables #2662

Closed
wants to merge 1 commit into from
Closed

Fail2ban can use legacy iptables #2662

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 4 additions & 1 deletion Dockerfile
View file
Open in desktop
Expand Up @@ -55,7 +55,7 @@ RUN \
dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-pop3d \
dovecot-sieve dovecot-solr dumb-init \
# E - O
ed fetchmail file gamin gnupg gzip iproute2 \
ed fetchmail file gamin gnupg gzip iproute2 iptables \
locales logwatch lhasa libdate-manip-perl libldap-common liblz4-tool \
libmail-spf-perl libnet-dns-perl libsasl2-modules lrzip lzop \
netcat-openbsd nftables nomarch opendkim opendkim-tools opendmarc \
Expand All @@ -78,6 +78,9 @@ RUN \
echo "ERROR: Wrong GPG fingerprint!" >&2; exit 1; fi && \
dpkg -i fail2ban.deb 2>&1 && \
rm fail2ban.deb fail2ban.deb.asc && \
# allow legacy iptables to be configured via FAIL2BAN_LEGACY_IPTABLES
update-alternatives --set iptables /usr/sbin/iptables-legacy && \
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy && \
# cleanup
apt-get -qq autoremove && \
apt-get -qq autoclean && \
Expand Down
8 changes: 8 additions & 0 deletions docs/content/config/environment.md
View file
Open in desktop
Expand Up @@ -112,6 +112,14 @@ Otherwise, `nftables` won't be able to ban IPs.
- reject => reject packet (send ICMP unreachable)
FAIL2BAN_BLOCKTYPE=drop

##### FAIL2BAN_LEGACY_IPTABLES

Enable legacy iptables firewall. Useful when docker is running on some type of appliance (e.g. QNAP NAS)

- **0** => use nftables
- 1 => use iptables-legacy
FAIL2BAN_LEGACY_IPTABLES=0

##### SMTP_ONLY

- **empty** => all daemons start
Expand Down
5 changes: 5 additions & 0 deletions mailserver.env
View file
Open in desktop
Expand Up @@ -126,6 +126,11 @@ ENABLE_FAIL2BAN=0
# reject => reject packet (send ICMP unreachable)
FAIL2BAN_BLOCKTYPE=drop

# Fail2Ban use legacy iptables
# **0** => use nftables
# 1 => use iptables-legacy
FAIL2BAN_LEGACY_IPTABLES=0

# 1 => Enables Managesieve on port 4190
# empty => disables Managesieve
ENABLE_MANAGESIEVE=
Expand Down
5 changes: 5 additions & 0 deletions target/scripts/startup/setup-stack.sh
View file
Open in desktop
Expand Up @@ -1070,6 +1070,11 @@ function _setup_fail2ban
echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fyi: This should also be done to /etc/fail2ban/action.d/iptables-common.local if ${FAIL2BAN_LEGACY_IPTABLES} -eq 1.

fi

if [[ ${FAIL2BAN_LEGACY_IPTABLES} -eq 1 ]]
then
sed -i 's/banaction = nftables-allports/banaction = iptables-allports/' /etc/fail2ban/jail.local
fi

echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
}

Expand Down