[CentOS] iptables - how to block established connections with fail2ban?

Wed Jun 26 14:50:18 UTC 2019
Mike Burger <mburger at bubbanfriends.org>

On 2019-06-26 02:41, MRob wrote:
> I am working to a CentOS 6 server with nonstandard iptables system
> without rule for ACCEPT ESTABLISHED connections. All tables and chains
> empty (flush by legacy custom script) so only filter/INPUT chain has
> rules (also fail2ban chain):
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> f2b-postfix   tcp  --  
> ACCEPT     all  --
> ACCEPT     all  --
> ACCEPT     tcp  --             tcp dpt:22
> ACCEPT     tcp  --             tcp dpt:25
> ACCEPT     tcp  --             tcp dpt:80
> ACCEPT     tcp  --             tcp 
> dpt:443
> ACCEPT     tcp  --             tcp 
> dpt:587
> ACCEPT     tcp  --             tcp 
> dpt:993
> ACCEPT     tcp  --             tcp 
> dpt:995
> DROP       tcp  --             tcp 
> flags:0x17/0x02
> Chain f2b-postfix (1 references)
> target     prot opt source               destination
> REJECT     all  --
> reject-with icmp-port-unreachable
> REJECT     all  --
> reject-with icmp-port-unreachable
> RETURN     all  --  
> When fail2ban block a IP address, established connections are allowed
> to continue, but with no rule to accept established connections how is
> that possible? Why doesn't f2b first rule block established
> connections?

The short answer is that the firewall rules REJECT...Fail2Ban only tells 
the firewall what to reject, at the point of entry.

Think of it this way:

Fail2Ban is the manager of a popular dance club. He determines the list 
of who may or may not be admitted to the club.

The firewall is the guy at the door of a popular club. He's doing his 
job, checking IDs, checking against the list of allowed or rejected 
guests and acting accordingly.

If the manager updates the list, it's not the door guy's job to go back 
through the club to find anyone who may have been admitted prior to the 
list having been updated. That's the job of a bouncer.

If you want the door guy to also be a bouncer, you'll need to configure 
your Fail2Ban actions to add iptables rules which invoke DROP instead of 

Mike Burger

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1