1

Previously I have a CentOS 6.5 with Iptables and I configure some jails for nginx as suggested here: How To use fail2ban for Nginx?.

But now I am in CentOS 7, trying to use the new firewall and latest fail2ban as well. I know there is a new firewallcmd-ipset.conf. But I wonder how the code of the above link should be adapted to the new firewall and the new fail2ban.

Watching firewallcmd-ipset.conf it seems it also expects the variables port and name. So maybe it is as easy as replacing iptables-multiport by firewallcmd-ipset.

Thoughts?

Thanks in advance,

Community
  • 1
Mariano Martinez Peck
  • 247

2 Answers2

1

You don't need to change anything. On CentOS 7, the default configuration will already include a configuration bit to set the fail2ban banaction to firewallcmd-ipset. This is in the fail2ban-firewalld package, which should automatically be installed.

You only need to make sure that you did not override the banaction somewhere else in your configuration.

Michael Hampton
  • 252,907
0

FirewallD is just a wrapper of iptables, which makes a easy way to manage your rules. However, IMHO, Firewalld is better for workstation environment rather than server environment. Thus, I recommend you to systemctl the following action

disable FirewallD

mask Firewalld

enable iptables

Then, put related iptables action in your jail.local

In my previous experience using firewalld config in fail2ban, I found the configure doesn't reload the frewalld, which means making the rules added by fail2ban activated.

When I firewall-cmd --reload manually, all invalid IPs recorded by fail2ban showing in the firewall-cmd --list-all

In this case, using iptables is your faster choice or you can modify the firewalld-xxxxx configures.

Mark
  • 564