Firewall apparently leaking
firehol at acrasis.net
Sun Apr 26 10:35:40 BST 2020
FireHOL 3.1 on Debian stable. iptables is symlinked to iptables-legacy.
To block some ip addresses from my web server on port 80, my
firehol.conf uses an ipset:
interface any world
ipv4 ipset create f2b-http hash:ip comment timeout 2147483
server4 http drop src ipset:f2b-http connlog "f2b-http"
server http accept with recent web 10 4
server http reject connlog "ratelimit http"
(I don't think the last two lines are relevant, but just in case.)
I use fail2ban to add ip addresses to the set, or I can add an ip
address myself from the shell. I've tested with two outside ipv4
addresses that I have access to. Both have access to port 80 until I
add the address to the f2b-http set and then they don't. In addition
to those two, the log file /var/log/ulog/syslogemu.log shows ip
addresses getting blocked, e.g.
Apr 25 12:13:50 rolly f2b-http: IN=ens3 OUT=
MAC=... SRC=188.8.131.52 DST=184.108.40.206 LEN=44 TOS=00
PREC=0x00 TTL=109 ID=9999 PROTO=TCP SPT=23304 DPT=80 SEQ=1425435408
ACK=0 WINDOW=29200 SYN URGP=0 MARK=0
However, several times a day fail2ban logs a warning that an ip
address is "already banned". In every case I've checked, the address
*was* in the ipset, i.e. I think fail2ban has operated correctly. Yet
the address still appears in a request in my web server's log.
For example, 220.127.116.11 made a request to my web server that
triggered a ban. fail2ban logged "18.104.22.168 already banned". Bans
have a timeout of 2147483s or 24.8 days. The ip address was present
in the ipset with 1828358s remaining or 21 days.
The relevant rule generated by firehol appears to be
DROP_CL3 tcp -- anywhere anywhere match-set f2b-http src !
update-counters ! update-subcounters tcp spts:1024:65535 dpt:http
I wondered whether the client was using a port below 1024. I updated
the rule with 'iptables -t filter --replace' to change the source port
range to 1:65535 but "already banned" warnings continue.
What can I check to find out how some ip addresses are apparently
evading the firewall?
More information about the Firehol-support