X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/6d47692a3e4e8e1da37a09019b5c8361e0004bd4..f3f390bc6f8cbb9426cebe4578ceda9224805c7e:/bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index 02f7859..7374cd3 100644
--- a/bookends.m4
+++ b/bookends.m4
@@ -68,8 +68,8 @@ if [ -x /sbin/brctl ]; then
 fi
 
 ## Turn on the reverse-path filter, and log weird things.
-setdevopt rp_filter 1
-setdevopt log_martians 1
+setdevopt rp_filter $rp_filter
+setdevopt log_martians $log_martians
 
 ## Turn off things which can mess with our routing decisions.
 setdevopt accept_source_route 0
@@ -104,7 +104,7 @@ errorchain interesting ACCEPT
 
 m4_divert(36)m4_dnl
 ###--------------------------------------------------------------------------
-### Standard loopback stuff.
+### Standard filtering.
 
 ## Don't clobber local traffic
 run ip46tables -A INPUT -i lo -j ACCEPT
@@ -138,17 +138,21 @@ for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
 	-d fe${x}2::/16
 done
 
+## Add a hook for fail2ban.
+clearchain fail2ban
+run ip46tables -A INPUT -j fail2ban
+
 m4_divert(90)m4_dnl
 ###--------------------------------------------------------------------------
 ### Finishing touches.
 
 m4_divert(94)m4_dnl
 ## Locally generated packets are all OK.
-run iptables -P OUTPUT ACCEPT
+run ip46tables -P OUTPUT ACCEPT
 
 ## Other incoming things are forbidden.
 for chain in INPUT FORWARD; do
-  run iptables -A $chain -g forbidden
+  run ip46tables -A $chain -g forbidden
 done
 
 m4_divert(-1)