fail2ban problems

Discussion in 'General' started by kmullen, Dec 9, 2010.

  1. kmullen

    Joined:
    Dec 11, 2009
    Messages:
    70
    Likes Received:
    0
    I recently used the excellent tutorial in "Elastix Without Tears" to lock down my Elastix 2.0 PBX. All went very well.

    However, I am not able to access the PBX from one of the subnets. Here is the setup.

    eth1 IP= 192.168.10.3 LAN (Computers on this LAN can reach the PBX)

    There is an additional network: 10.10.1.0/24 that can reach ALL devices on the 192.168.10.0/24 through static route in router. However the PBX does not respond to any requests from this network.

    in the apf.conf I have IFACE_TRUSTED="eth1"

    I have also set apf -a 10.10.1.0/24

    Additionally, I have set the following:

    apf -a XXX.XXX.XXX.XXX (my public IP) I am NOT able to access the PBX via port 443.

    The output of apf -l show the following pertinent lines.

    Chain INPUT (policy ACCEPT 185 packets, 33723 bytes)
    num pkts bytes target prot opt in out source destination
    1 1639K 73M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    2 73190 15M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 263 packets, 46494 bytes)
    num pkts bytes target prot opt in out source destination
    1 1639K 73M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    2 73680 15M ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0

    Chain TALLOW (2 references)
    num pkts bytes target prot opt in out source destination
    1 0 0 ACCEPT all -- * * 0.0.1.187 0.0.0.0/0
    2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.1.187
    3 35 2484 ACCEPT all -- * * xxx.xxx.xxx.xxx 0.0.0.0/0
    4 37 12944 ACCEPT all -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx
    5 0 0 ACCEPT all -- * * 0.0.1.187 0.0.0.0/0
    6 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.1.187
    7 0 0 ACCEPT all -- * * 10.10.1.0/24 0.0.0.0/0
    8 0 0 ACCEPT all -- * * 0.0.0.0/0 10.10.1.0/24
    9 0 0 ACCEPT all -- * * 0.0.0.80 0.0.0.0/0
    10 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.80
    11 0 0 ACCEPT all -- * * 10.10.1.0/24 0.0.0.0/0
    12 0 0 ACCEPT all -- * * 0.0.0.0/0 10.10.1.0/24


    Anyone have any ideas how to correct this?
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    You posted this as a fail2ban problem, yet there is no indication why you think that might be so, there is no indication of any presence of the fail2ban chains (jails in their parlance) in your ip tables.

    You further neglected to state that you installed afp, afp is a firewall script, although it uses iptables, it dynamically changes the raw ip tables, I believe you will find it incompatible with the similar behavior of fail2ban as the order of inclusion/exclusion would only be allowed for afp's control and other chains will likely be ignored unless you know exactly how to insert them within the afp schema. Thus any questions you have as to the function of you firewall/router configuration and indeed the inclusion of non-native to afp chains (the fail2ban ones) should probably be directed to the afp support fora.

    Too many cooks will spoil the broth, please choose one, it will be easier to taste the result.

    dicko
     
  3. kmullen

    Joined:
    Dec 11, 2009
    Messages:
    70
    Likes Received:
    0
    I guess I misunderstood the book. I thought the two were configured to work with each other. However, I did find the solution for part of my problem.

    eth0 is my WAN interface and as such as the default gateway.

    I had to define a permanent static route on eth1 to tell it how to find the 10.10.1.0 network. Routing basics, DUH!

    Thanks for your help. I'll update when I fix the problem with access on the WAN side.
     

Share This Page