compatibility with nftables? about login-shield HOT 10 OPEN

This sounds like a great idea! It shouldn't be too difficult to make this work with nftables as well as iptables. I'm not familiar with that so I'll need your input to modify the existing set-iptables.sh[-config] script for nftables.

I think there are two things we need to do for this.

First, give me a version of the file: set-iptables.sh-config (it's initially set as -config so the user will rename and it won't be overwritten if it has any user-specific mods) - rename yours as: set-nftables.sh-config and once we verify it works, I'll include it in the distribution.

Second, we need to see how nftables logs blocked IP traffic. If the log data is formatted differently, we might need to modify the ./count_logins.sh and ./attack_stats.sh scripts.

Here is the log format iptables uses for the LOG command

Jan 2 18:34:10 sd2 kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx SRC=185.211.245.170 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=33468 DF PROTO=TCP SPT=17292 DPT=587 WINDOW=7300 RES=0x00 SYN URGP=0

If it logs blocked packets the same way, no modifications would be needed, otherwise I probably need a sample log file with examples to update my statistical script (just to make everything 100% compatible).

Minimally, probably all you need to do is modify that one shell script to make it work on your system assuming all the ipset commands are the same.

any other questions, let me know.

from login-shield.

btw, the way login-shield works with rules is, those are all ipset-based so there's no changing of the iptables/nftables commands - those are typically run only initially (or after reboot). To update the tables just re-run the blacklist-xxxx.sh scripts and any dupe rules will be ignored.

Right now it could be improved in this respect - I plan to re-write everything in Python later but first I want to make sure the blacklists are really solid. So far they're working very well on six of my servers.

from login-shield.

I'm also interested in nftables support as all current releases of Fedora and CentOS 8/Stream use nftables.

from login-shield.

I don't have any experience with nftables at this point. If anybody wants to re-write the iptables command to use nftables, I'll incorporate it into another update. I assume the syntax is relatively similar?

from login-shield.

I see a tutorial as well as the official guide which includes how to use the new iptables-translate command.

from login-shield.

Did you see the feedback on the Fail2ban mailing list?

from login-shield.

Sorry I haven't seen that. But one issue is I don't have a CentOS machine with nftables on it right now to do the test/translate.

However, anybody who does, can copy the IPTABLES commands from the set-iptables.sh[-config] script

When the script is run, it echoes the iptables commands that are used. These can be run through the translator. If I can see an example of how the command is translated, I can create a separate set-nftables.sh-config file for those running nftables.

from login-shield.

For example, here are the two commands that a person might run.. how would they be translated using nftables?

iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP
iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j LOG --log-prefix ShD-Lgn

from login-shield.

Note that I don't have access to a machine that uses an alternate to iptables. I'm sure it's just a minor change but at this point, I'm hoping someone else who knows the alternate command syntax can provide the commands using nftables to accomplish the same thing, then I will add this to the project.

from login-shield.

Thank you for the shell codes 🙏🙏 very nice

I have set up some NFTtables in the past... If I am correct NFTables tends to be manage via a config file BUT there are shortcuts to add to it... I usually setup the config file and be done with it....

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes

nft list table <family>
nft (add | delete | flush) table [<family>] <name>
nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements>

Above example
iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP

nft add rule filter input tcp dport vmap { 20,21,22,110,143,587,989,990,993,994,995,4190 : drop }
or
nft add rule filter input tcp dport { 20,21,22,110,143,587,989,990,993,994,995,4190}

Above if is you already have a chain named filter your config (with policy to drop) if not you are going to have to USE the bigger sample code to create the chain and/or table...

==============================

nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]

nft add chain filter table inet-filter { type filter hook input priority 0; policy drop; }
and AFTER
nft add rule inet-filter input tcp dport { 20,21,22,110,143,587,989,990,993,994,995,4190}

================================
BELOW is a sample config for reference, I use PF but have some cook recipes for Iptables, Ipset and Nftables config
`

`

from login-shield.