From 2f8315532658e5ad1acea72b357a5dc4878a4a93 Mon Sep 17 00:00:00 2001
From: Matthijs Kooijman <matthijs@stdin.nl>
Date: Thu, 10 Sep 2009 13:15:55 +0200
Subject: [PATCH 1/1] fail2ban: Allow the INPUT chain to be customized.

---
 etc/fail2ban/action.d/iptables-multiport.conf | 11 ++++++++---
 etc/fail2ban/jail.conf                        |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/etc/fail2ban/action.d/iptables-multiport.conf b/etc/fail2ban/action.d/iptables-multiport.conf
index 84c7d53..f0aebba 100644
--- a/etc/fail2ban/action.d/iptables-multiport.conf
+++ b/etc/fail2ban/action.d/iptables-multiport.conf
@@ -13,13 +13,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
               iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
              iptables -F fail2ban-<name>
              iptables -X fail2ban-<name>
 
@@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fai
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -67,3 +67,8 @@ port = ssh
 #
 protocol = tcp
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/etc/fail2ban/jail.conf b/etc/fail2ban/jail.conf
index c991155..a64370f 100644
--- a/etc/fail2ban/jail.conf
+++ b/etc/fail2ban/jail.conf
@@ -55,7 +55,7 @@ protocol = tcp
 # Action shortcuts. To be used to define action parameter
 
 # The simplest action to take: ban only
-action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"]
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
 # ban & send an e-mail with whois report to the destemail.
 action_mw = %(action_)s
-- 
2.30.2