It seems at least once a year I look through my logs to find that fail2ban
is no longer functioning ever since the switch from iptables to firewalld...
I've spent way too much time on this but I really do try to fix things
myself and learn more about the innards of linux.
Currently I'm getting:
ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0
(legacy): Set fail2ban-sshd doesn't exist. Error occurred at line: 2 Try
`iptables-restore -h' or 'iptables-restore --help' for more information.
Well I had switched back to iptables from ipset due to this some time ago:
https://bugzilla.redhat.com/show_bug.cgi?id=1533760
Which was "fixed' so I switched back to firewallcmd-ipset from
iptables-multiport but the error persists.
Here's where it gets weird. I finally figured out I'm assuming that ipset
is what's calling iptables (which is not intuitive by the error) and I see
two things:
the "-n" option is supposed to have a number of seconds after it I'm not
sure what effect just "-n" has.
It's looking for fail2ban-sshd, however...
Running "ipset list" I saw only one set, but it was called "f2b-sshd"
instead... Ah HAH!
Except when I ran it again it there was no output so the set is "gone"???
Ok, funny how working on writing all this down sometimes helps... Found
what I think it part of the problem.
Comparing firewallcmd-ipset.conf.old and firewallcmd-ipset.conf I see
[Definition] [Definition]
actionstart = ipset create fail2ban-<name> hash:ip timeout <b | actionstart
= ipset create <ipmset> hash:ip timeout <bantime>
firewall-cmd --direct --add-rule ipv4 filter <c |
firewall-cmd --direct --add-rule <family> filte
---
And then later in the new conf file:
ipmset = f2b-<name>
familyopt =
---
So the ipset create call was changed...
So how does firewalld know which set name to look for?
Thanks,
Richard