Firewall with Fail2ban support

bin/v-add-firewall-ban

@@ -0,0 +1,78 @@
+#!/bin/bash
+# info: add firewall blocking rule
+# options: IP CHAIN
+#
+# The function adds new blocking rule to system firewall
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system variables
+source /etc/profile
+
+# Argument defenition
+ip=$1
+chain=$(echo $2|tr '[:lower:]' '[:upper:]')
+
+# Defining absolute path for iptables and modprobe
+iptables="/sbin/iptables"
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'IP CHAIN'
+validate_format 'ip' 'chain'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking server ip
+if [ -e "$VESTA/data/ips/$ip" ] || [ "$ip" = '127.0.0.1' ]; then
+    exit
+fi
+
+# Checking ip exclusions
+excludes="$VESTA/data/firewall/excludes.conf"
+check_excludes=$(grep "^$ip$" $excludes 2>/dev/null)
+if  [ ! -z "$check_excludes" ]; then
+    exit
+fi
+
+# Checking ip in banlist
+conf="$VESTA/data/firewall/banlist.conf"
+check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2>/dev/null)
+if [ ! -z "$check_ip" ]; then
+    exit
+fi
+
+# Adding chain
+$BIN/v-add-firewall-chain $chain
+
+# Adding ip to banlist
+echo "IP='$ip' CHAIN='$chain' TIME='$TIME' DATE='$DATE'" >> $conf
+$iptables -I fail2ban-$chain 1 -s $ip \
+    -j REJECT --reject-with icmp-port-unreachable 2>/dev/null
+
+# Changing permissions
+chmod 660 $conf
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-add-firewall-chain

@@ -0,0 +1,83 @@
+#!/bin/bash
+# info: add firewall chain
+# options: CHAIN [PORT] [PROTOCOL] [PROTOCOL]
+#
+# The function adds new rule to system firewall
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system variables
+source /etc/profile
+
+# Argument defenition
+chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
+port=$2
+protocol=${4-TCP}
+protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
+
+# Defining absolute path to iptables
+iptables="/sbin/iptables"
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL]'
+validate_format 'chain'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking known chains
+case $chain in
+    SSH)        port=22; protocol=TCP ;;
+    FTP)        port=21; protocol=TCP  ;;
+    MAIL)       port=25; protocol=TCP  ;;
+    DNS)        port=53; protocol=UDP  ;;
+    HTTP)       port=80; protocol=TCP  ;;
+    HTTPS)      port=443; protocol=TCP  ;;
+    POP3)       port=110; protocol=TCP  ;;
+    IMAP)       port=143; protocol=TCP  ;;
+    MYSQL)      port=3306; protocol=TCP  ;;
+    POSTGRES)   port=5432; protocol=TCP  ;;
+    VESTA)      port=8083; protocol=TCP  ;;
+    *)          check_args '2' "$#" 'CHAIN PORT' ;;
+esac
+
+# Adding chain
+$iptables -N fail2ban-$chain 2>/dev/null
+if [ $? -eq 0 ]; then
+    $iptables -A fail2ban-$chain -j RETURN
+    $iptables -I INPUT -p $protocol --dport $port -j fail2ban-$chain
+fi
+
+# Preserving chain
+chains=$VESTA/data/firewall/chains.conf
+check_chain=$(grep "CHAIN='$chain'" $chains 2>/dev/null)
+if [ -z "$check_chain" ]; then
+    echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
+fi
+
+# Changing permissions
+chmod 660 $chains
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-add-sys-firewall-rule → bin/v-add-firewall-rule

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: add firewall rule
-# options: ACTION PROTOCOL PORT IP [COMMENT] [RULE]
+# options: ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]
 #
 # The function adds new rule to system firewall
 
@@ -9,11 +9,15 @@
 #                    Variable&Function                     #
 #----------------------------------------------------------#
 
+# Importing system variables
+source /etc/profile
+
 # Argument defenition
 action=$(echo $1|tr '[:lower:]' '[:upper:]')
-protocol=$(echo $2|tr '[:lower:]' '[:upper:]')
+ip=$2
 port_ext=$3
-ip=$4
+protocol=${4-TCP}
+protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
 comment=$5
 rule=$6
 
@@ -24,17 +28,17 @@ source $VESTA/conf/vesta.conf
 # Get next firewall rule id
 get_next_fw_rule() {
     if [ -z "$rule" ]; then
-        curr_str=$(grep "RULE=" $VESTA/data/firewall/rules_ipv4.conf |\
+        curr_str=$(grep "RULE=" $VESTA/data/firewall/rules.conf |\
          cut -f 2 -d \' | sort -n | tail -n1)
         rule="$((curr_str +1))"
     fi
 }
 
 sort_fw_rules() {
-    cat $VESTA/data/firewall/rules_ipv4.conf |\
-        sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
-    mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
-        $VESTA/data/firewall/rules_ipv4.conf
+    cat $VESTA/data/firewall/rules.conf |\
+        sort -n -k 2 -t \' > $VESTA/data/firewall/rules.conf.tmp
+    mv -f $VESTA/data/firewall/rules.conf.tmp \
+        $VESTA/data/firewall/rules.conf
 }
 
 
@@ -42,12 +46,12 @@ sort_fw_rules() {
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '4' "$#" 'ACTION PROTOCOL PORT IP [COMMENT] [RULE]'
+check_args '3' "$#" 'ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]'
 validate_format 'action' 'protocol' 'port_ext' 'ip'
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 get_next_fw_rule
 validate_format 'rule'
-is_object_new '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+is_object_new '../../data/firewall/rules' 'RULE' "$rule"
 if [ ! -z "$comment"]; then
     validate_format 'comment'
 fi
@@ -57,22 +61,22 @@ fi
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Concatenating cron string
+# Concatenating rule
 str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
 str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
 str="$str TIME='$TIME' DATE='$DATE'"
 
-# Adding to crontab
-echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
+# Adding to config
+echo "$str" >> $VESTA/data/firewall/rules.conf
 
 # Changing permissions
-chmod 660 $VESTA/data/firewall/rules_ipv4.conf
+chmod 660 $VESTA/data/firewall/rules.conf
 
 # Sorting firewall rules by id number
 sort_fw_rules
 
 # Updating system firewall
-$BIN/v-update-sys-firewall
+$BIN/v-update-firewall
 
 
 #----------------------------------------------------------#

bin/v-change-sys-firewall-rule → bin/v-change-firewall-rule

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: change firewall rule
-# options: RULE ACTION PROTOCOL PORT IP [COMMENT]
+# options: RULE ACTION IP PORT [PROTOCOL] [COMMENT]
 #
 # The function is used for changing existing firewall rule.
 # It fully replace rule with new one but keeps same id.
@@ -10,12 +10,16 @@
 #                    Variable&Function                     #
 #----------------------------------------------------------#
 
+# Importing system variables
+source /etc/profile
+
 # Argument defenition
 rule=$1
 action=$(echo $2|tr '[:lower:]' '[:upper:]')
-protocol=$(echo $3|tr '[:lower:]' '[:upper:]')
+ip=$3
 port_ext=$4
-ip=$5
+protocol=${5-TCP}
+protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
 comment=$6
 
 # Includes
@@ -24,10 +28,10 @@ source $VESTA/conf/vesta.conf
 
 # Sort function
 sort_fw_rules() {
-    cat $VESTA/data/firewall/rules_ipv4.conf |\
-        sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
-    mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
-        $VESTA/data/firewall/rules_ipv4.conf
+    cat $VESTA/data/firewall/rules.conf |\
+        sort -n -k 2 -t \' > $VESTA/data/firewall/rules.conf.tmp
+    mv -f $VESTA/data/firewall/rules.conf.tmp \
+        $VESTA/data/firewall/rules.conf
 }
 
 
@@ -35,10 +39,13 @@ sort_fw_rules() {
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '5' "$#" 'RULE ACTION PROTOCOL PORT IP [COMMENT]'
-validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip' 'comment'
+check_args '5' "$#" 'RULE ACTION IP  PORT [PROTOCOL] [COMMENT]'
+validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip'
+if [ ! -z "$comment" ]; then
+    validate_format 'comment'
+fi
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
-is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
 
 
 #----------------------------------------------------------#
@@ -51,16 +58,16 @@ str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
 str="$str TIME='$TIME' DATE='$DATE'"
 
 # Deleting old rule
-sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
+sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules.conf
 
 # Adding new
-echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
+echo "$str" >> $VESTA/data/firewall/rules.conf
 
 # Sorting firewall rules by id number
 sort_fw_rules
 
 # Updating system firewall
-$BIN/v-update-sys-firewall
+$BIN/v-update-firewall
 
 
 #----------------------------------------------------------#

bin/v-delete-firewall-ban

@@ -0,0 +1,63 @@
+#!/bin/bash
+# info: delete firewall blocking rule
+# options: IP CHAIN
+#
+# The function deletes blocking rule from system firewall
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system variables
+source /etc/profile
+
+# Argument defenition
+ip=$1
+chain=$(echo $2|tr '[:lower:]' '[:upper:]')
+
+# Defining absolute path for iptables and modprobe
+iptables="/sbin/iptables"
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'IP CHAIN'
+validate_format 'ip' 'chain'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking ip in banlist
+conf="$VESTA/data/firewall/banlist.conf"
+check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2>/dev/null)
+if [ -z "$check_ip" ]; then
+    exit
+fi
+
+# Deleting ip from banlist
+sed -i "/IP='$ip' CHAIN='$chain'/d" $conf
+$iptables -D fail2ban-$chain -s $ip \
+    -j REJECT --reject-with icmp-port-unreachable 2>/dev/null
+
+# Changing permissions
+chmod 660 $conf
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-delete-firewall-chain

@@ -0,0 +1,66 @@
+#!/bin/bash
+# info: delete firewall chain
+# options: CHAIN
+#
+# The function adds new rule to system firewall
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system variables
+source /etc/profile
+
+# Argument defenition
+chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
+
+# Defining absolute path to iptables
+iptables="/sbin/iptables"
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'CHAIN'
+validate_format 'chain'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Deleting chain
+chains=$VESTA/data/firewall/chains.conf
+banlist=$VESTA/data/firewall/banlist.conf
+chain_param=$(grep "CHAIN='$chain'" $chains 2>/dev/null)
+if [ ! -z "$chain_param" ]; then
+    eval $chain_param
+    sed -i "/CHAIN='$chain'/d" $chains
+    sed -i "/CHAIN='$chain'/d" $banlist
+    $iptables -D INPUT -p $PROTOCOL \
+        --dport $PORT -j fail2ban-$CHAIN 2>/dev/null
+fi
+
+# Deleting iptables chain
+$iptables -F fail2ban-$CHAIN 2>/dev/null
+$iptables -X fail2ban-$CHAIN 2>/dev/null
+
+# Changing permissions
+chmod 660 $chains
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-delete-sys-firewall-rule → bin/v-delete-firewall-rule

@@ -9,6 +9,9 @@
 #                    Variable&Function                     #
 #----------------------------------------------------------#
 
+# Importing system variables
+source /etc/profile
+
 # Argument defenition
 rule=$1
 
@@ -24,7 +27,7 @@ source $VESTA/conf/vesta.conf
 check_args '1' "$#" 'RULE'
 validate_format 'rule'
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
-is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
 
 
 #----------------------------------------------------------#
@@ -32,10 +35,10 @@ is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
 #----------------------------------------------------------#
 
 # Deleting rule
-sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
+sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules.conf
 
 # Updating system firewall
-$BIN/v-update-sys-firewall
+$BIN/v-update-firewall
 
 
 #----------------------------------------------------------#

bin/v-list-sys-firewall → bin/v-list-firewall

@@ -21,7 +21,7 @@ source $VESTA/func/main.sh
 #----------------------------------------------------------#
 
 # Defining config
-conf=$VESTA/data/firewall/rules_ipv4.conf
+conf=$VESTA/data/firewall/rules.conf
 
 # Defining fileds to select
 fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT"

bin/v-list-firewall-ban

@@ -0,0 +1,43 @@
+#!/bin/bash
+# info: list firewall block list
+# options: [FORMAT]
+#
+# The function of obtaining the list of currently blocked ips.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+format=${1-shell}
+
+# Includes
+source $VESTA/func/main.sh
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Defining config
+conf=$VESTA/data/firewall/banlist.conf
+
+# Defining fileds to select
+fields="\$IP:\$CHAIN \$TIME \$DATE"
+
+# Listing domains
+case $format in
+    json)   json_list ;;
+    plain)  nohead=1; shell_list ;;
+    shell)  fields='$IP $CHAIN $TIME $DATE';
+            shell_list | column -t ;;
+    *)      check_args '1' '0' 'USER [FORMAT]'
+esac
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+exit

bin/v-list-sys-firewall-rule → bin/v-list-firewall-rule

@@ -61,7 +61,7 @@ shell_list_fw_rule() {
 #----------------------------------------------------------#
 
 check_args '1' "$#" 'RULE [FORMAT]'
-is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
 
 
 #----------------------------------------------------------#
@@ -69,7 +69,7 @@ is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
 #----------------------------------------------------------#
 
 # Defining config and fields to select
-conf=$VESTA/data/firewall/rules_ipv4.conf
+conf=$VESTA/data/firewall/rules.conf
 fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT"
 fields="$fields \$RULE \$SUSPENDED \$TIME \$DATE"
 

bin/v-suspend-firewall-rule

@@ -0,0 +1,49 @@
+#!/bin/bash
+# info: suspend firewall rule
+# options: RULE
+#
+# The function suspends a certain firewall rule.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+rule=$1
+
+# Inlcudes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'RULE'
+validate_format 'rule'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
+is_object_unsuspended '../../data/firewall/rules' 'RULE' "$rule"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Suspending rule
+update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' yes
+
+# Updating system firewall
+$BIN/v-update-firewall
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-unsuspend-firewall-rule

@@ -0,0 +1,49 @@
+#!/bin/bash
+# info: unsuspend firewall rule
+# options: RULE
+#
+# The function unsuspends a certain firewall rule.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+rule=$1
+
+# Inlcudes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'RULE'
+validate_format 'rule'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
+is_object_suspended '../../data/firewall/rules' 'RULE' "$rule"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Suspending rule
+update_object_value ../../data/firewall/rules RULE $rule '$SUSPENDED' no
+
+# Updating system firewall
+$BIN/v-update-firewall
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-update-sys-firewall → bin/v-update-firewall

@@ -31,7 +31,10 @@ is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 #----------------------------------------------------------#
 
 # Checking local IPv4 rules
-rules="$VESTA/data/firewall/rules_ipv4.conf"
+rules="$VESTA/data/firewall/rules.conf"
+ports="$VESTA/data/firewall/ports.conf"
+fail2ban="$VESTA/data/firewall/fail2ban.conf"
+
 if [ ! -e "$rules" ]; then
     exit
 fi
@@ -87,13 +90,18 @@ for line in $(sort -r -n -k 2 -t \' $rules); do
 done
 
 # Handling local traffic
-echo "$iptables -A INPUT -p udp --sport 53 -j ACCEPT" >> $tmp
-echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
 for ip in $(ls $VESTA/data/ips); do
     echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
 done
+echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
+IFS=$'\n'
+for p_rule in $(cat $ports); do
+    eval $p_rule
+    rule="$iptables -A INPUT -p $PROTOCOL"
+    echo "$rule --sport $PORT -j ACCEPT" >> $tmp
+done
 
-# Enabling stateful firewall
+# Enabling stateful support
 if [ "$stateful" != 'no' ]; then
     str="$iptables -A INPUT -p tcp -m state"
     str="$str --state ESTABLISHED,RELATED -j ACCEPT"
@@ -103,12 +111,27 @@ fi
 # Switching chain policy to DROP
 echo "$iptables -P INPUT DROP" >> $tmp
 
+# Adding vesta chain
+echo "$iptables -N vesta" >> $tmp
+
 # Applying rules
-bash $tmp
+bash $tmp 2>/dev/null
 
 # Deleting temporary file
 rm -f $tmp
 
+# Checking custom trigger
+if [ -x "$VESTA/data/firewall/custom.sh" ]; then
+    bash $VESTA/data/firewall/custom.sh
+fi
+
+# Checking fail2ban support
+chains=$VESTA/data/firewall/chains.conf
+for chain in $(cat $chains 2>/dev/null); do
+    eval $chain
+    $iptables -I INPUT -p $PROTOCOL --dport $PORT -j fail2ban-$CHAIN
+done
+
 # Saving rules to the master iptables file
 if [ -e "/etc/redhat-release" ]; then
     /sbin/iptables-save > /etc/sysconfig/iptables

web/add/firewall/banlist/index.php

@@ -0,0 +1,66 @@
+<?php
+// Init
+error_reporting(NULL);
+ob_start();
+session_start();
+$TAB = 'FIREWALL';
+
+// Main include
+include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+
+// Check user
+if ($_SESSION['user'] != 'admin') {
+    header("Location: /list/user");
+    exit;
+}
+
+// Check POST request
+if (!empty($_POST['ok'])) {
+
+    // Check empty fields
+    if (empty($_POST['v_chain'])) $errors[] = __('banlist');
+    if (empty($_POST['v_ip'])) $errors[] = __('ip address');
+    if (!empty($errors[0])) {
+        foreach ($errors as $i => $error) {
+            if ( $i == 0 ) {
+                $error_msg = $error;
+            } else {
+                $error_msg = $error_msg.", ".$error;
+            }
+        }
+        $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
+    }
+
+    // Protect input
+    $v_chain = escapeshellarg($_POST['v_chain']);
+    $v_ip = escapeshellarg($_POST['v_ip']);
+
+    // Add firewall ban
+    if (empty($_SESSION['error_msg'])) {
+        exec (VESTA_CMD."v-add-firewall-ban ".$v_ip." ".$v_chain, $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
+    }
+
+    // Flush field values on success
+    if (empty($_SESSION['error_msg'])) {
+        $_SESSION['ok_msg'] = __('BANLIST_CREATED_OK');
+        unset($v_ip);
+    }
+}
+
+// Header
+include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html');
+
+// Panel
+top_panel($user,$TAB);
+
+// Display body
+include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_firewall_banlist.html');
+
+// Flush session messages
+unset($_SESSION['error_msg']);
+unset($_SESSION['ok_msg']);
+
+// Footer
+include($_SERVER['DOCUMENT_ROOT'].'/templates/footer.html');

web/add/firewall/index.php

@@ -45,7 +45,7 @@ if (!empty($_POST['ok'])) {
 
     // Add firewall rule
     if (empty($_SESSION['error_msg'])) {
-        exec (VESTA_CMD."v-add-sys-firewall-rule ".$v_action." ".$v_protocol." ".$v_port."  ".$v_ip." ".$v_comment, $output, $return_var);
+        exec (VESTA_CMD."v-add-firewall-rule ".$v_action." ".$v_ip." ".$v_port." ".$v_protocol." ".$v_comment, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
     }

web/bulk/firewall/banlist/index.php

@@ -0,0 +1,36 @@
+<?php
+// Init
+error_reporting(NULL);
+ob_start();
+session_start();
+
+// Main include
+include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+
+// Check user
+if ($_SESSION['user'] != 'admin') {
+    header("Location: /list/user");
+    exit;
+}
+
+if (!empty($_POST['ipchain'])) {
+    $ipchain = $_POST['ipchain'];
+    list($ip,$chain) = split(":",$ipchain);
+    $v_ip = escapeshellarg($ip);
+    $v_chain = escapeshellarg($chain);
+
+}
+
+$action = $_POST['action'];
+
+switch ($action) {
+    case 'delete': $cmd='v-delete-firewall-ban';
+        break;
+    default: header("Location: /list/firewall/banlist/"); exit;
+}
+
+foreach ($ipchain as $value) {
+    exec (VESTA_CMD.$cmd." ".$v_ip." ".$v_chain, $output, $return_var);
+}
+
+header("Location: /list/firewall/banlist");

web/bulk/firewall/index.php

@@ -18,11 +18,11 @@ $rule = $_POST['rule'];
 $action = $_POST['action'];
 
 switch ($action) {
-    case 'delete': $cmd='v-delete-sys-firewall-rule';
+    case 'delete': $cmd='v-delete-firewall-rule';
         break;
-    case 'suspend': $cmd='v-suspend-sys-firewall-rule';
+    case 'suspend': $cmd='v-suspend-firewall-rule';
         break;
-    case 'unsuspend': $cmd='v-unsuspend-sys-firewall-rule';
+    case 'unsuspend': $cmd='v-unsuspend-firewall-rule';
         break;
     default: header("Location: /list/firewall/"); exit;
 }

web/delete/firewall/banlist/index.php

@@ -0,0 +1,31 @@
+<?php
+// Init
+error_reporting(NULL);
+ob_start();
+session_start();
+
+// Main include
+include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+
+// Check user
+if ($_SESSION['user'] != 'admin') {
+    header("Location: /list/user");
+    exit;
+}
+
+if ((!empty($_GET['ip'])) && (!empty($_GET['chain']))) {
+    $v_ip = escapeshellarg($_GET['ip']);
+    $v_chain = escapeshellarg($_GET['chain']);
+    exec (VESTA_CMD."v-delete-firewall-ban ".$v_ip." ".$v_chain, $output, $return_var);
+}
+check_return_code($return_var,$output);
+unset($output);
+
+$back = $_SESSION['back'];
+if (!empty($back)) {
+    header("Location: ".$back);
+    exit;
+}
+
+header("Location: /list/firewall/banlist/");
+exit;

web/delete/firewall/index.php

@@ -15,7 +15,7 @@ if ($_SESSION['user'] != 'admin') {
 
 if (!empty($_GET['rule'])) {
     $v_rule = escapeshellarg($_GET['rule']);
-    exec (VESTA_CMD."v-delete-sys-firewall-rule ".$v_rule, $output, $return_var);
+    exec (VESTA_CMD."v-delete-firewall-rule ".$v_rule, $output, $return_var);
 }
 check_return_code($return_var,$output);
 unset($output);

web/edit/firewall/index.php

@@ -22,7 +22,7 @@ if (empty($_GET['rule'])) {
 
 // List rule
 $v_rule = escapeshellarg($_GET['rule']);
-exec (VESTA_CMD."v-list-sys-firewall-rule ".$v_rule." 'json'", $output, $return_var);
+exec (VESTA_CMD."v-list-firewall-rule ".$v_rule." 'json'", $output, $return_var);
 check_return_code($return_var,$output);
 $data = json_decode(implode('', $output), true);
 unset($output);
@@ -56,7 +56,7 @@ if (!empty($_POST['save'])) {
     $v_comment = escapeshellarg($_POST['v_comment']);
 
     // Change Status
-    exec (VESTA_CMD."v-change-sys-firewall-rule ".$v_rule." ".$v_action." ".$v_protocol." ".$v_port." ".$v_ip." ".$v_comment, $output, $return_var);
+    exec (VESTA_CMD."v-change-firewall-rule ".$v_rule." ".$v_action." ".$v_ip."  ".$v_port." ".$v_protocol."".$v_comment, $output, $return_var);
     check_return_code($return_var,$output);
     unset($output);
 

web/list/firewall/banlist/index.php

@@ -0,0 +1,33 @@
+<?php
+session_start();
+
+$TAB = 'FIREWALL';
+
+// Main include
+include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+
+// Check user
+if ($_SESSION['user'] != 'admin') {
+    header("Location: /list/user");
+    exit;
+}
+
+// Header
+include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html');
+
+// Panel
+top_panel($user,$TAB);
+
+// Data
+exec (VESTA_CMD."v-list-firewall-ban json", $output, $return_var);
+$data = json_decode(implode('', $output), true);
+$data = array_reverse($data, true);
+unset($output);
+include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_firewall_banlist.html');
+
+// Back uri
+$_SESSION['back'] = $_SERVER['REQUEST_URI'];
+
+// Footer
+include($_SERVER['DOCUMENT_ROOT'].'/templates/footer.html');
+

web/list/firewall/index.php

@@ -19,7 +19,7 @@ include($_SERVER['DOCUMENT_ROOT'].'/templates/header.html');
 top_panel($user,$TAB);
 
 // Data
-exec (VESTA_CMD."v-list-sys-firewall json", $output, $return_var);
+exec (VESTA_CMD."v-list-firewall json", $output, $return_var);
 $data = json_decode(implode('', $output), true);
 $data = array_reverse($data, true);
 unset($output);

web/suspend/firewall/index.php

@@ -0,0 +1,28 @@
+<?php
+// Init
+error_reporting(NULL);
+ob_start();
+session_start();
+include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+
+// Check user
+if ($_SESSION['user'] != 'admin') {
+    header("Location: /list/user");
+    exit;
+}
+
+if (!empty($_GET['rule'])) {
+    $v_rule = escapeshellarg($_GET['rule']);
+    exec (VESTA_CMD."v-suspend-firewall-rule ".$v_rule, $output, $return_var);
+}
+check_return_code($return_var,$output);
+unset($output);
+
+$back=getenv("HTTP_REFERER");
+if (!empty($back)) {
+    header("Location: ".$back);
+    exit;
+}
+
+header("Location: /list/firewall/");
+exit;

web/templates/admin/add_firewall_banlist.html

@@ -0,0 +1,93 @@
+            <?php
+                $back = $_SESSION['back'];
+                if (empty($back)) {
+                    $back = "location.href='/list/firewall/banlist/'";
+                } else {
+                    $back = "location.href='".$back."'";
+                }
+            ?>
+            <table class="submenu">
+                <tr>
+                    <td style="padding: 20px 10px;" ><a class="name"><b><?php print __('Adding IP Address to Banlist');?></b></a>
+                        <?php
+                            if (!empty($_SESSION['error_msg'])) {
+                                echo "<span class=\"vst-error\"> → ".$_SESSION['error_msg']."</span>";
+                            } else {
+                                if (!empty($_SESSION['ok_msg'])) {
+                                    echo "<span class=\"vst-ok\"> → ".$_SESSION['ok_msg']."</span>";
+                                }
+                            }
+                        ?>
+                    </td>
+                </tr>
+            </table>
+        </div>
+
+        <form id="vstobjects" name="v_add_ip" method="post">
+            <script type="text/javascript">
+                function elementHideShow(elementToHideOrShow) {
+                    var el = document.getElementById(elementToHideOrShow);
+                    if (el.style.display == "block") {
+                        el.style.display = "none";
+                    } else {
+                        el.style.display = "block";
+                    }
+                }
+            </script>
+
+            <table class="data mode-add">
+                <tr class="data-add">
+                    <td class="data-dotted">
+                        <table class="data-col1">
+                            <tr><td></td></tr>
+                        </table>
+                    </td>
+                    <td class="data-dotted">
+                        <table class="data-col2" width="600px">
+                            <tr>
+                                <td class="vst-text step-top">
+                                    <?php print __('Banlist') ?> 
+                                </td>
+                            </tr>
+                            <tr>
+                                <td>
+                                    <select class="vst-list" name="v_chain">
+                                        <option value="SSH" <?php if ((!empty($v_chain)) && ( $v_chain == "'SSH'" )) echo 'selected'?>><?php print __('SSH') ?></option>
+                                        <option value="FTP" <?php if ((!empty($v_chain)) && ( $v_chain == "'FTP'" )) echo 'selected'?>><?php print __('FTP') ?></option>
+                                        <option value="MAIL" <?php if ((!empty($v_chain)) && ( $v_chain == "'MAIL'" )) echo 'selected'?>><?php print __('MAIL') ?></option>
+                                        <option value="DNS" <?php if ((!empty($v_chain)) && ( $v_chain == "'DNS'" )) echo 'selected'?>><?php print __('DNS') ?></option>
+                                        <option value="HTTP" <?php if ((!empty($v_chain)) && ( $v_chain == "'HTTP'" )) echo 'selected'?>><?php print __('HTTP') ?></option>
+                                        <option value="HTTPS" <?php if ((!empty($v_chain)) && ( $v_chain == "'HTTPS'" )) echo 'selected'?>><?php print __('HTPS') ?></option>
+                                        <option value="POP3" <?php if ((!empty($v_chain)) && ( $v_chain == "'POP3'" )) echo 'selected'?>><?php print __('POP3') ?></option>
+                                        <option value="IMAP" <?php if ((!empty($v_chain)) && ( $v_chain == "'IMAP'" )) echo 'selected'?>><?php print __('IMAP') ?></option>
+                                        <option value="MYSQL" <?php if ((!empty($v_chain)) && ( $v_chain == "'MYSQL'" )) echo 'selected'?>><?php print __('MYSQL') ?></option>
+                                        <option value="POSTGRES" <?php if ((!empty($v_chain)) && ( $v_chain == "'POSTGRES'" )) echo 'selected'?>><?php print __('POSTGRES') ?></option>
+                                        <option value="VESTA" <?php if ((!empty($v_chain)) && ( $v_chain == "'VESTA'" )) echo 'selected'?>><?php print __('VESTA') ?></option>
+                                    </select>
+                                </td>
+                            </tr>
+                            <tr>
+                                <td class="vst-text input-label">
+                                    <?php print __('IP Address');?> <span class="optional">(<?php print __('CDIR format is supported');?>)</span>
+                                </td>
+                            </tr>
+                            <tr>
+                                <td>
+                                    <input type="text" size="20" class="vst-input" name="v_ip" <?php if (!empty($v_ip)) echo "value=".$v_ip; ?>>
+                                </td>
+                            </tr>
+                        </table>
+                        <table class="data-col2">
+                            <tr>
+                                <td class="step-top" width="116px">
+                                    <input type="submit" name="ok" value="<?php print __('Add');?>" class="button">
+                                </td>
+                                <td class="step-top">
+                                    <input type="button" class="button" value="<?php print __('Back');?>" onclick="<?php echo $back ?>">
+                                </td>
+                            </tr>
+                        </table>
+                    </td>
+                </tr>
+            </table>
+        </from>

web/templates/admin/list_firewall.html

@@ -19,6 +19,11 @@
                             </select>
                             <input type="submit" name="ok" value="›" class="submenu-button-select">
                         </div>
+                        <?php if(!empty($_SESSION['FIREWALL_EXTENSION'])) { ?> 
+                        <div class="submenu-select-block">
+                            <a class="submenu-select-link" href="/list/firewall/banlist/">[ <?php print __('list fail2ban');?> ]</a>
+                        </div>
+                        <?php } ?>
                         <?php display_error_block(); ?> 
                     </td>
                 </tr>
@@ -37,10 +42,10 @@
                             } else {
                                 $status = 'active';
                                 $spnd_action = 'suspend' ;
-                                $spnd_confirmation = 'UNSUSPEND_RULE_CONFIRMATION' ;
+                                $spnd_confirmation = 'SUSPEND_RULE_CONFIRMATION' ;
                             }
                     ?> 
-                    <tr class="data-row">
+                    <tr class="data-row <? if($status == 'suspended') echo 'suspended';?>">
                         <td class="data-dotted">
                             <table class="data-col1">
                                 <tr><td><input type="checkbox" class="ch-toggle" name="rule[]" value="<?php echo $data[$key]['RULE']?>" > </td></tr>
@@ -58,7 +63,17 @@
                                     </div>
                                 </span>
                             </a>
-                            <a href="/edit/firewall/?rule=<?php echo $data[$key]['RULE'] ?>" class="data-controls">
+                            <a id="<?php echo $spnd_action ?>_link_<?php echo $i ?>" class="data-controls do_<?php echo $spnd_action ?>">
+                                <span class="do_<?php echo $spnd_action ?>">
+                                    <img src="/images/suspend.png" width="7px" height="8px">
+                                    <?php echo __($spnd_action); ?> 
+                                    <input type="hidden" name="<?php echo $spnd_action ?>_url" value="/<?php echo $spnd_action ?>/firewall/?rule=<?php echo $data[$key]['RULE'] ?>" />
+                                    <div id="<?php echo $spnd_action ?>_dialog_<?php echo $i ?>" class="confirmation-text-suspention hidden" title="<?php print __('Confirmation');?>">
+                                        <p class="counter-value"><?php print __($spnd_confirmation,$key);?></p>
+                                    </div>
+                                </span>
+                            </a>
+                            <a href="/edit/firewall/?rule=<?php echo $key ?>" class="data-controls">
                                 <span>
                                     <img src="/images/edit.png" width="8px" height="8px">
                                     <?php print __('edit');?> 

web/templates/admin/list_firewall_banlist.html

@@ -0,0 +1,88 @@
+            <table class="submenu">
+                <tr>
+                    <td class="wrapper">
+                        <div class="submenu-button-block">
+                            <button class="submenu-button-main" onclick="location.href='/add/firewall/banlist/'"> <?php print __('Ban IP Address');?> </button>
+                        </div>
+                        <div class="submenu-search-block">
+                            <form action="/search/" method="get">
+                            <input type="text" name="q" class="submenu-search-field">
+                            <input type="submit" value="<?php print __('Search');?>" class="submenu-button-search">
+                            </form>
+                        </div>
+                        <div class="submenu-select-block">
+                            <form action="/bulk/firewall/banlist/" method="post" id="objects">
+                            <a class="submenu-select-link" href='javascript:checkedAll("objects");'> <?php print __('toggle all');?> </a>
+                            <select class="submenu-select-dropdown" name="action">
+                                <option value=""><?php print __('apply to selected');?></option>
+                                <option value="delete"><?php print __('delete');?></option>
+                            </select>
+                            <input type="submit" name="ok" value="›" class="submenu-button-select">
+                        </div>
+                        <?php display_error_block(); ?> 
+                    </td>
+                </tr>
+            </table>
+        </div>
+
+        <div id="vstobjects">
+                <table class="data" style="background: #ebe9dc;">
+                    <tr>
+                        <td style="padding: 10px 4px">
+                            <a class="name" style="color: #555; font-size: 10pt;"><b><?php print __('Listing');?> Fail2ban</b></a>
+                        </td>
+                    </tr>
+                </table>
+                <table class="data">
+                    <?php
+                        foreach ($data as $key => $value) {
+                            ++$i;
+                            list($ip,$chain) = split(":",$key);
+                    ?> 
+                    <tr class="data-row">
+                        <td class="data-dotted">
+                            <table class="data-col1">
+                                <tr><td><input type="checkbox" class="ch-toggle" name="ipchain[]" value="<?php echo $key ?>"</td></tr>
+                                <tr><td></td></tr>
+                            </table>
+                        </td>
+                        <td class="data-dotted">
+                            <a id="delete_link_<?php echo $i ?>" class="data-controls do_delete">
+                                <span class="do_delete">
+                                    <img src="/images/delete.png" width="7px" height="7px">
+                                    <?php print __('delete');?>
+                                    <input type="hidden" name="delete_url" value="/delete/firewall/banlist/?ip=<?php echo $ip ?>&chain=<?php echo $chain ?>"/>
+                                    <div id="delete_dialog_<?php echo $i ?>" class="confirmation-text-delete hidden" title="<?php print __('Confirmation');?>">
+                                        <p class="counter-value"><?php print __('DELETE_IP_CONFIRMATION',$ip);?></p>
+                                    </div>
+                                </span>
+                            </a>
+                            <table class="data-col5">
+                                <tr>
+                                    <td class="log" width="119px"><?php echo $data[$key]['TIME'] ?></td>
+                                    <td class="log" width="119px"><?php echo $data[$key]['DATE']?></td>
+                                    <td class="log" width="232px"><?php echo $chain ?></td>
+                                    <td class="log" ><?php echo $ip ?></td>
+                                </tr>
+                            </table>
+                        </td>
+                    </tr>
+                    <?php
+                        }
+                    ?> 
+                </table>
+            </form>
+            <div class="data-count">
+                <?php
+                    if ( $i == 0) {
+                        echo __('There is no currently banned IP addresses');
+                    }
+                    if ( $i == 1) {
+                        echo __('1 IP address');
+                    }
+                    if ( $i > 1) {
+                        echo __('%s IP addresses',$i);
+                    }
+                ?> 
+            </div>
+        </div>

web/unsuspend/firewall/index.php

@@ -0,0 +1,28 @@
+<?php
+// Init
+error_reporting(NULL);
+ob_start();
+session_start();
+include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+
+// Check user
+if ($_SESSION['user'] != 'admin') {
+    header("Location: /list/user");
+    exit;
+}
+
+if (!empty($_GET['rule'])) {
+    $v_rule = escapeshellarg($_GET['rule']);
+    exec (VESTA_CMD."v-unsuspend-firewall-rule ".$v_rule, $output, $return_var);
+}
+check_return_code($return_var,$output);
+unset($output);
+
+$back=getenv("HTTP_REFERER");
+if (!empty($back)) {
+    header("Location: ".$back);
+    exit;
+}
+
+header("Location: /list/firewall/");
+exit;