bookends.m4: Provide a hook chain for fail2ban.

Otherwise it does its filtering before we've permitted loopback, and
stuff could get very bad.

diff --git a/bookends.m4 b/bookends.m4
index ed5dcc7..7374cd3 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -104,7 +104,7 @@ errorchain interesting ACCEPT
 
 m4_divert(36)m4_dnl
 ###--------------------------------------------------------------------------
-### Standard loopback stuff.
+### Standard filtering.
 
 ## Don't clobber local traffic
 run ip46tables -A INPUT -i lo -j ACCEPT
@@ -138,6 +138,10 @@ for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
        -d fe${x}2::/16
 done
 
+## Add a hook for fail2ban.
+clearchain fail2ban
+run ip46tables -A INPUT -j fail2ban
+
 m4_divert(90)m4_dnl
 ###--------------------------------------------------------------------------
 ### Finishing touches.