How to insert persistent rules before freepbx firewall rules


(Sam Shomi) #1

I would like to be able to insert a custom chain in iptables INPUT chain row 1. That way incoming packets have to go through my custom rules before anything else including freepbx firewall/fail2ban rules.

Is there some way to do that? Every time I reboot it seems my custom chain gets overwritten by freepbx firewall and intrusion detection even if I save it with iptables save.


(Sam Shomi) #2

I figured it out as per this guide.
https://wiki.freepbx.org/display/FPG/Firewall+Custom+Rules


(Sam Shomi) #3

Does anyone know of a universal way to override all iptables FreePBX or Fail2ban rules? I cannot guarantee FreePBX firewall will be enabled so I can’t use the FreePBX custom firewall rules feature.

If it is just fail2ban enabled I need to override those rules if they exist. I was thinking maybe a cronjob that runs every 5 minutes that checks if my custom chain exists in row 1 of INPUT and if not to put it there. Seems a bit hacky though. Maybe there is a more elegant solution?


#4

If you want to do it your way, you could

fwconsole firewall disable

no rules are there,

systemctl start fail2ban

f2b rules are there, then you can -I or -A and the rules would apply,


(Sam Shomi) #5

I ended up creating a cron job that runs a script every minute. That script inserts a custom chain as rule #1 if it doesn’t already exist. It then adds all my rules into the custom chain if they don’t already exist.

It’s a bit hacky but it gets the job done and seems to work with all scenarios. I suppose I could check for freepbx firewall and do things differently depending on if it is installed or not but this way is simpler.


(system) closed #6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.