Here I would like to discuss an improvement to the firewall to be able to make use of the firewall while still maintaining a whitelist of trusted IPs.
You have the firewall which seems to modify iptables and then you have fail2ban which monitors and successfully bans IPs that have to many bad attempts.
Then, you have the whitelist, which allows you to whitelist an IP, that basically allows any traffic from whitelisted IPs.
If you whitelist a client’s IP, any rule you create in the firewall will NOT affect this IP.
So for example, if you only want to expose the ARI port or any other custom ports only from specific IPs, all IPs in the whitelist will still be able to access these ports.
There are many more examples…
In iptables, give the firewall rules a higher priority than the whitelist.
Meaning, let’s say we try to register an endpoint:
- IP tries to register.
- Check iptable rules if the firewall has any rules to prevent this IP/port from being accessed.
- Found prevent: drop
- Did not found: continue
- Allow IP to register.
- If many failed attempts happen, let fail2ban decide
- If IP is whitelisted: Allow further attempts.
- If IP is NOT whitelisted: block the IP.
Important Note: An IP that was banned by fail2ban should still be as the top priority, as we do not want them to be able to process anything.
This solution prevents trusted/whitelisted IPs from getting banned, immediately drops traffic from all banned IPs while in the same time it also gives you the ability via the firewall to control traffic for literally everything kind of incoming request.
Some people suggested, that perhaps this should be a toggle to enable/disable giving priority to the firewall rules.