Sync iptables-rulesets

Sync iptables-rulesets

Post by lassebo » Tue, 15 Jan 2008 06:47:57


I am using fail2ban on a server in the LAN to block connections from
suspicious servers. that works very well.

Now I want to block those ip-addresses already at the (otherwise
forwarding) gateway. I.e., I am looking for a method to synchronize
the iptables-rulesets or, better, to synchronize fail2ban. No, some HA-
solutions like ctsync/heartbeat might be too mighty ... I just want to
do something like

iptables -L | grep fail2ban | grep DROP

on the host in the LAN, take the ipadresses that should be blocked and
transfer them via rsync to the gateway and append the rules there to

iptables-save on host 1 with iptables-restore on host 2 will not work,
because the rulesets are far from being identically.

any ideas? my idea is to use the transferred ip-addresses from host 1
for the use in a little shellscript on host 2, but that would be a
very, very complicated and ugly script:

- it would have to be transferred continiously, every minute via cron
or so
- it would have to take care from the ip-addresses that fail2ban has
released after the blocktime.

 maybe there is a tool out there in opensourceland to fit my
needs ... ?

that would be great; otherwise, all help would be appreciated.

thanx and greetings