ciao, i have iptables, how can configure the firewall to use instead of:
Chain INPUT (policy ACCEPT)
to be
Chain INPUT (policy DROP)
i have a chain called: f2b-postfix-sasl
and it works with fail2ban and it shows in iptables, but i think the problem is that it accepts the packets it stops the fail2ban bans, so it should first drop if there is a ban via iptables and then accept.
how can i configure ? is it possible to understand what i am doing?
root@home:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-postfix-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,submission,imap3,imaps,pop3,pop3s,submission
ACCEPT udp -- anywhere anywhere udp dpt:l2f
ACCEPT udp -- anywhere anywhere udp dpt:4500
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT all -- anywhere anywhere /* !fw3 */
input_rule all -- anywhere anywhere /* !fw3: Custom input rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input all -- anywhere anywhere /* !fw3 */
zone_wan_input all -- anywhere anywhere /* !fw3 */
zone_wan_input all -- anywhere anywhere /* !fw3 */
zone_sygnusvpn_input all -- anywhere anywhere /* !fw3 */
zone_openvpn_input all -- anywhere anywhere /* !fw3 */
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.140.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.17.0/24 anywhere
forwarding_rule all -- anywhere anywhere /* !fw3: Custom forwarding rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward all -- anywhere anywhere /* !fw3 */
zone_wan_forward all -- anywhere anywhere /* !fw3 */
zone_wan_forward all -- anywhere anywhere /* !fw3 */
zone_sygnusvpn_forward all -- anywhere anywhere /* !fw3 */
zone_openvpn_forward all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 */
output_rule all -- anywhere anywhere /* !fw3: Custom output rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output all -- anywhere anywhere /* !fw3 */
zone_wan_output all -- anywhere anywhere /* !fw3 */
zone_wan_output all -- anywhere anywhere /* !fw3 */
zone_sygnusvpn_output all -- anywhere anywhere /* !fw3 */
zone_openvpn_output all -- anywhere anywhere /* !fw3 */
Chain MINIUPNPD (2 references)
target prot opt source destination
Chain f2b-postfix-sasl (1 references)
target prot opt source destination
REJECT all -- ip-38-53.ZervDNS anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_openvpn_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_sygnusvpn_rule (1 references)
target prot opt source destination
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_openvpn_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_sygnusvpn_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_openvpn_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_sygnusvpn_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere /* !fw3 */ reject-with tcp-reset
REJECT all -- anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP all -- anywhere anywhere /* !fw3 */
Chain zone_lan_dest_ACCEPT (8 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone lan to wan forwarding policy */
zone_openvpn_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone lan to openvpn forwarding policy */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all -- anywhere anywhere /* !fw3: Custom lan input rule chain */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all -- anywhere anywhere /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_openvpn_dest_ACCEPT (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_openvpn_forward (1 references)
target prot opt source destination
forwarding_openvpn_rule all -- anywhere anywhere /* !fw3: Custom openvpn forwarding rule chain */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone openvpn to lan forwarding policy */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone openvpn to wan forwarding policy */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_openvpn_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_openvpn_input (1 references)
target prot opt source destination
input_openvpn_rule all -- anywhere anywhere /* !fw3: Custom openvpn input rule chain */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_openvpn_src_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_openvpn_output (1 references)
target prot opt source destination
output_openvpn_rule all -- anywhere anywhere /* !fw3: Custom openvpn output rule chain */
zone_openvpn_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_openvpn_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_sygnusvpn_dest_ACCEPT (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_sygnusvpn_forward (1 references)
target prot opt source destination
forwarding_sygnusvpn_rule all -- anywhere anywhere /* !fw3: Custom sygnusvpn forwarding rule chain */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone sygnusvpn to lan forwarding policy */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone sygnusvpn to wan forwarding policy */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
MINIUPNPD all -- anywhere anywhere
zone_sygnusvpn_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_sygnusvpn_input (1 references)
target prot opt source destination
input_sygnusvpn_rule all -- anywhere anywhere /* !fw3: Custom sygnusvpn input rule chain */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_sygnusvpn_src_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_sygnusvpn_output (1 references)
target prot opt source destination
output_sygnusvpn_rule all -- anywhere anywhere /* !fw3: Custom sygnusvpn output rule chain */
zone_sygnusvpn_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_sygnusvpn_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (4 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
Chain zone_wan_forward (2 references)
target prot opt source destination
forwarding_wan_rule all -- anywhere anywhere /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT esp -- anywhere anywhere /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /* !fw3: Allow-ISAKMP */
zone_lan_dest_ACCEPT esp -- anywhere anywhere /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
MINIUPNPD all -- anywhere anywhere
zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_input (2 references)
target prot opt source destination
input_wan_rule all -- anywhere anywhere /* !fw3: Custom wan input rule chain */
ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
ACCEPT igmp -- anywhere anywhere /* !fw3: Allow-IGMP */
ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
ACCEPT igmp -- anywhere anywhere /* !fw3: Allow-IGMP */
ACCEPT udp -- anywhere anywhere udp dpt:openvpn /* !fw3: Allow-OpenVPN-Inbound */
ACCEPT ipv6 -- anywhere anywhere /* !fw3: Allow-protocol 41 */
ACCEPT ipv6-nonxt-- anywhere anywhere /* !fw3: Allow-protocol 59 */
ACCEPT udp -- anywhere anywhere udp dpt:openvpn /* !fw3: Allow-OpenVPN-Inbound */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_output (2 references)
target prot opt source destination
output_wan_rule all -- anywhere anywhere /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
root@home:~#