diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban index 653e3e8..54cfad9 100644 --- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban +++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban @@ -7,12 +7,18 @@ /sbin/iptables --new-chain $NEW_Fail2Ban EOF - foreach my $ban ( $f2bdb->get_all_by_prop(type=>('ban')) ){ - $OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" . - " -s " . $ban->key . " -j denylog\n" - if ( ($fail2ban{'status'} || 'disabled') eq 'enabled' ); - $OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" . - " -j RETURN\n"; + if ( ($fail2ban{'status'} || 'disabled') eq 'enabled' ){ + foreach my $ban ( $f2bdb->get_all_by_prop(type=>('ban')) ){ + my $ip = $ban->prop('Host'); + my $proto = $ban->prop('Protocol') || ''; + my $port = $ban->prop('Port') || ''; + $OUT .= " /sbin/iptables --append \$NEW_Fail2Ban -s $ip"; + $OUT .= " -p $proto" if ($proto =~ m/^tcp|udp|icmp$/); + $OUT .= " --dport $port" if ($proto =~ m/^tcp|udp$/ && $port =~ m/^\d+$/); + $OUT .= " -j denylog\n" + $OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" . + " -j RETURN\n"; + } } # Having created a new Fail2Ban chain, activate it and destroy the old.