On 2019-06-26 02:41, MRob wrote:
I am working to a CentOS 6 server with nonstandard iptables system without rule for ACCEPT ESTABLISHED connections. All tables and chains empty (flush by legacy custom script) so only filter/INPUT chain has rules (also fail2ban chain):
Chain INPUT (policy ACCEPT) target prot opt source destination f2b-postfix tcp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 192.168.0.0/16 0.0.0.0/0 ACCEPT all -- 127.0.0.0/8 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
Chain f2b-postfix (1 references) target prot opt source destination REJECT all -- 200.23.235.30 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 177.11.167.57 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0
When fail2ban block a IP address, established connections are allowed to continue, but with no rule to accept established connections how is that possible? Why doesn't f2b first rule block established connections?
The short answer is that the firewall rules REJECT...Fail2Ban only tells the firewall what to reject, at the point of entry.
Think of it this way:
Fail2Ban is the manager of a popular dance club. He determines the list of who may or may not be admitted to the club.
The firewall is the guy at the door of a popular club. He's doing his job, checking IDs, checking against the list of allowed or rejected guests and acting accordingly.
If the manager updates the list, it's not the door guy's job to go back through the club to find anyone who may have been admitted prior to the list having been updated. That's the job of a bouncer.
If you want the door guy to also be a bouncer, you'll need to configure your Fail2Ban actions to add iptables rules which invoke DROP instead of REJECT.