Setting up Fail2ban with IPv6

I will give an example of configuring Fail2ban to work with IPv6 addresses.

Let’s say Fail2ban is already installed and works with IPv4 addresses:
Installing and Configuring Fail2ban

Let’s look at the current rules for IPv6:

ip6tables -nvL

Let’s create a chain f2b-sshd into which Fail2ban will add IP address ban rules, as well as other chains if necessary:

ip6tables -N f2b-sshd
ip6tables -A f2b-sshd -j RETURN
ip6tables -N f2b-postfix-pregreet
ip6tables -A f2b-postfix-pregreet -j RETURN
ip6tables -N f2b-dovecot
ip6tables -A f2b-dovecot -j RETURN
ip6tables -N f2b-postfix
ip6tables -A f2b-postfix -j RETURN
ip6tables -N f2b-apache-badbots
ip6tables -A f2b-apache-badbots -j RETURN

Let’s add a rule to the beginning of the list:

ip6tables -I INPUT 1 -p tcp -m multiport --dports 22 -j f2b-sshd
ip6tables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

If IPv6 is just being configured and there are no other rules, then we will add the other rules you need, for example:

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

Let’s set the default INPUT policy to DROP to block everything else that is not allowed:

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

Example for other chains:

ip6tables -I INPUT 1 -p tcp -m multiport --dports 80,443,25,587,465,110,995,143,993,4190 -j f2b-postfix-pregreet

Let’s save the rules so that they are not reset after a reboot:

ip6tables-save >/etc/iptables/rules.v6

IPv6 addresses are removed from the ban in the same way as IPv4:

fail2ban-client set sshd unbanip 2000::::....

Leave a comment

Leave a Reply