Firewall - Advanced Custom Rules

Ive started playing with Advanced Custom Rules on the firewall and am discovering you can do some pretty cool stuff.

The following command opens up a certain range of IP addresses to access port 1194.

-I INPUT -p udp --dport 1194 -s -j ACCEPT

However this firewall command dumps the traffic into the system AFTER fail2ban.

Is there a way I can dump the traffic into the system BEFORE fail2ban?

in general yes. But in practice I would let my hands off. It is a question of ordering the firewall rules.
Simple thing is to make your advanced rule the first rule.
You can say: -I INPUT 1 -p udp --dport 1194 -s -j ACCEPT
or 2 or 3. So your advanced rule is the first, second or 3rd rule within your IPTABLES. Nothing to do with fail2ban.
However the problem is that next hit of your fail2ban rules put the f2b-chain to the first place again.
This can only be avoided by changing the /fail2ban/action.d/*-files e.g. iptables-multiport.local
To set this action e.g. to position 7:
actionstart = -N f2b-
-A f2b- -j
-I 7 -p -m multiport --dports -j f2b-

…And this is the point where I would let my hands off…
Because free-pbx has (for me) to many f2b-rules, which I really don’t understand at the whole.

1 Like

Current versions of faik2ban have

# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = <known/chain>


I experimented with guenni’s suggestion.

So I tried -I INPUT 1
-I INPUT 1 -p udp --dport 1194 -s -j ACCEPT

This still inserts the traffic AFTER fail2ban.

Then I tried -I INPUT 2
-I INPUT 2 -p udp --dport 1194 -s -j ACCEPT

Now this inserts traffic BEFORE fail2ban

This works but now I want to dive in a little deeper and understand why this works.
By chance does the INPUT 1, and INPUT 2 numbers correspond to zones?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.