I have an Ubuntu 9.04 server running libvirt/kvm and fail2ban (for SSH attacks).
Both libvirt and fail2ban integrate with iptables in different ways. Libvirt uses (I think) some XML config and during startup (?) configures forwarding to the VM subnet. Fail2ban installs a custom chain (probably at init) and periodically modifies it to ban/unban probable attackers.
I also need to install my own rules to forward various ports to servers running in VMs and on other machines, and set up rudimentary security (e.g. drop all INPUT traffic except the few ports I want open), and of course I'd like the ability to add/remove rules safely without restarting.
It seems to me iptables is a powerful tool that's sorely lacking some sort of standardized way of juggling all this stuff. Every project, and every sysadmin, seems to do it differently! (And I think there's lots of "cargo cult" admin going on here, with people cloning crude approaches like "use iptables-save like so".)
Short of figuring out the gory details of exactly how both of these (and potentially other) tools manipulate the netfilter tables, and developing my own scripts or just manually executing iptables commands, is there any way to safely work with iptables while not breaking the functionality of these other tools? Any nascent standards or projects defined to bring sanity to this area? Even a helpful web page I missed that might cover at least these two packages together?
This is really old but for people who search and find this, fail2ban and like a lot of other utilities are very configurable. You can change your fail2ban action files like iptables-multiport.conf to call iptables and create chains in the way you want it.
eg.
This creates a rule smack bang in your INPUT chain which is kind of ugly and unmanageable, but you can quite easily put it in one of your own chains in your control. You can create an INPUT filter which then has chains to other filters for fail2ban to keep all it's stuff out of your INPUT chain as below.
The same goes for libvirt or Xen where there are scripts that are called to do the work. Xen for instance uses /etc/xen/scripts which you'll find the network-bridge and others where iptables is called. Design it as you want.and worst case, change the code. I for one use fail2ban to modify a central firewall so all servers are protected which means iptables on the local machine doesn't show the rules anyway.