[pkg-netfilter-team] Bug#913877: iptables 1.8.2: ERROR when adding REJECT target to custom chains
Amos Jeffries
squid3 at treenet.co.nz
Fri Nov 16 09:37:17 GMT 2018
Package: iptables
Version: 1.8.2-2
Severity: grave
The fail2ban attack prevention software scans log files and adds
firewall rules dynamically to iptables/ip6tables to prevent DoS and
login scanning attacks in realtime.
Since upgrading iptables to the 1.8.2 version it has been completely
unable to do that vital task due to problems within nftables / iptables.
The example that I am facing right now is with active and large DoS
attacks email spam attacks. When fail2ban attempts to add the firewall
blocks, such as;
iptables -w -I f2b-postfix-sasl 1 -s 80.82.70.189 \
-j REJECT --reject-with icmp-port-unreachable
iptables produces an error:
iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument):
rule in chain f2b-postfix-sasl
the system log matching that iptables update attempt states:
x_tables: ip_tables: REJECT target: used from hooks
FORWARD/OUTPUT/POSTROUTING, but only usable from INPUT/FORWARD/OUTPUT
Which appears to be a lie. The f2b-postfix-sasl is a sub-chain of the
INPUT table and is not in any way connected to the FORWARD, OUTPUT nor
POSTROUTING tables.
iptables -L -nv
Chain INPUT (policy ACCEPT 1727M packets, 3523G bytes)
pkts bytes target prot opt in out source
destination
9531 7001K f2b-postfix-sasl tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587,143,993,110,995
9531 7001K f2b-courier-auth tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587,143,993,110,995
8629 6907K f2b-postfix tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587
2994 278K f2b-sshd tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 22
6412K 2086M f2b-postfix-sasl tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587,143,993,110,995
6412K 2086M f2b-courier-auth tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587,143,993,110,995
3053K 829M f2b-postfix tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587
11M 663M f2b-sshd tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1230M packets, 132G bytes)
pkts bytes target prot opt in out source
destination
Chain f2b-sshd (2 references)
pkts bytes target prot opt in out source
destination
5988 556K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain f2b-postfix (2 references)
pkts bytes target prot opt in out source
destination
17258 14M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain f2b-courier-auth (2 references)
pkts bytes target prot opt in out source
destination
19062 14M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain f2b-postfix-sasl (2 references)
pkts bytes target prot opt in out source
destination
19062 14M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
AYJ
More information about the pkg-netfilter-team
mailing list