I will give an example of configuring Fail2ban to work with IPv6 addresses.
Let’s say Fail2ban is already installed and works with IPv4 addresses:
Installing and Configuring Fail2ban
Let’s look at the current rules for IPv6:
ip6tables -nvL
Let’s create a chain f2b-sshd into which Fail2ban will add IP address ban rules, as well as other chains if necessary:
ip6tables -N f2b-sshd
ip6tables -A f2b-sshd -j RETURN
ip6tables -N f2b-postfix-pregreet
ip6tables -A f2b-postfix-pregreet -j RETURN
ip6tables -N f2b-dovecot
ip6tables -A f2b-dovecot -j RETURN
ip6tables -N f2b-postfix
ip6tables -A f2b-postfix -j RETURN
ip6tables -N f2b-apache-badbots
ip6tables -A f2b-apache-badbots -j RETURN
Let’s add a rule to the beginning of the list:
ip6tables -I INPUT 1 -p tcp -m multiport --dports 22 -j f2b-sshd
ip6tables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
If IPv6 is just being configured and there are no other rules, then we will add the other rules you need, for example:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
Let’s set the default INPUT policy to DROP to block everything else that is not allowed:
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
Example for other chains:
ip6tables -I INPUT 1 -p tcp -m multiport --dports 80,443,25,587,465,110,995,143,993,4190 -j f2b-postfix-pregreet
Let’s save the rules so that they are not reset after a reboot:
ip6tables-save >/etc/iptables/rules.v6
IPv6 addresses are removed from the ban in the same way as IPv4:
fail2ban-client set sshd unbanip 2000::::....