The ipset
command requires IP SET support in the kernel. Specifically, you would be looking for the following settings:
CONFIG_IP_SET=m
CONFIG_IP_SET_HASH_IP=m
And it seems that your kernel is built without ipset support, or at the least, it cannot find these modules. Solve that issue and your error should go away.
Try running find /lib/modules/$(uname -r) -name ip_set.ko
to see if you current kernel supports them, and also find /lib/modules -name ip_set.ko
to see if any of the installed kernel supports them.
If you need more help, you would have to tell us:
- What version of CentOS you are using
- What kernel you are running
- How you installed fail2ban (from the EPEL repository or manually?)
I should also note that the version of ipset reported in your question (6.19) is what CentOS 7 comes with, so if you are using the original kernel and fail2ban from the EPEL repo everything should just work.
CentOS 6.5 also has support for ip sets and fail2ban is available in EPEL for CentOS 6. These should also work fine.
However, if you are running CentOS 5, then you are likely out of luck. You may have some luck building the modules that ipset comes with, but I am not sure the CentOS 5 kernel is supported at all. If you actually managed to pull that off, and later upgraded the kernel, then it is just a matter of rebuilding the modules for the new kernel.
I may have to answer my own question as it looks like that nobody at serverfault knows the answer. Well, this is really simple. Since iptable rules work successively then all that was needed was to change from -A INPUT to -I INPUT in my code above. Problem solved.
It created amended (-A) rules in my input chain and put them at the back which seemed to conflict with the other rules that came before it. The trick was to do insert (-I) which created a new rule and put it in front that stopped the conflict with the others and started working perfectly well.
Hope it will help someone out as well.
Best Answer
So, since
-j SET
is what you wanted:Within iptables,
-m set
is used when you want to compare a packet against an ipset (-m
stands for match) it can be used multiple times within a single rule.-j SET
on the other hand is used to insert an entry into an ipset, it is a non-terminating target, meaning that rule traversal will continue.You should read the iptables manpage for a full explanation of the expected syntax.