-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
compatibility with nftables? #3
Comments
This sounds like a great idea! It shouldn't be too difficult to make this work with nftables as well as iptables. I'm not familiar with that so I'll need your input to modify the existing set-iptables.sh[-config] script for nftables. I think there are two things we need to do for this. First, give me a version of the file: set-iptables.sh-config (it's initially set as -config so the user will rename and it won't be overwritten if it has any user-specific mods) - rename yours as: set-nftables.sh-config and once we verify it works, I'll include it in the distribution. Second, we need to see how nftables logs blocked IP traffic. If the log data is formatted differently, we might need to modify the ./count_logins.sh and ./attack_stats.sh scripts. Here is the log format iptables uses for the LOG command Jan 2 18:34:10 sd2 kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx SRC=185.211.245.170 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=33468 DF PROTO=TCP SPT=17292 DPT=587 WINDOW=7300 RES=0x00 SYN URGP=0 If it logs blocked packets the same way, no modifications would be needed, otherwise I probably need a sample log file with examples to update my statistical script (just to make everything 100% compatible). Minimally, probably all you need to do is modify that one shell script to make it work on your system assuming all the ipset commands are the same. any other questions, let me know. |
btw, the way login-shield works with rules is, those are all ipset-based so there's no changing of the iptables/nftables commands - those are typically run only initially (or after reboot). To update the tables just re-run the blacklist-xxxx.sh scripts and any dupe rules will be ignored. Right now it could be improved in this respect - I plan to re-write everything in Python later but first I want to make sure the blacklists are really solid. So far they're working very well on six of my servers. |
I'm also interested in nftables support as all current releases of Fedora and CentOS 8/Stream use nftables. |
I don't have any experience with nftables at this point. If anybody wants to re-write the iptables command to use nftables, I'll incorporate it into another update. I assume the syntax is relatively similar? |
I see a tutorial as well as the official guide which includes how to use the new |
Did you see the feedback on the Fail2ban mailing list? |
Sorry I haven't seen that. But one issue is I don't have a CentOS machine with nftables on it right now to do the test/translate. However, anybody who does, can copy the IPTABLES commands from the set-iptables.sh[-config] script When the script is run, it echoes the iptables commands that are used. These can be run through the translator. If I can see an example of how the command is translated, I can create a separate set-nftables.sh-config file for those running nftables. |
For example, here are the two commands that a person might run.. how would they be translated using nftables?
|
Note that I don't have access to a machine that uses an alternate to iptables. I'm sure it's just a minor change but at this point, I'm hoping someone else who knows the alternate command syntax can provide the commands using nftables to accomplish the same thing, then I will add this to the project. |
Thank you for the shell codes 🙏🙏 very nice I have set up some NFTtables in the past... If I am correct NFTables tends to be manage via a config file BUT there are shortcuts to add to it... I usually setup the config file and be done with it.... https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
Above example
Above if is you already have a chain named filter your config (with policy to drop) if not you are going to have to USE the bigger sample code to create the chain and/or table... ==============================
================================
` |
I would love to test login-shield on my server... it's a really great idea!
I run Debian 10 with fail2ban. However, I use nftables instead of iptables... In principle, it would be no problem to convert each rule of the login-shield to nftables' syntax. however, I wonder what will happen if login-shield is updated...? Would I have to convert the new rules again? perhaps, it would be great if login-shield would work with both, iptables and nftables... what do you think?
The text was updated successfully, but these errors were encountered: