The ipset
command requires IP SET support in the kernel. Specifically, you would be looking for the following settings:
CONFIG_IP_SET=m
CONFIG_IP_SET_HASH_IP=m
And it seems that your kernel is built without ipset support, or at the least, it cannot find these modules. Solve that issue and your error should go away.
Try running find /lib/modules/$(uname -r) -name ip_set.ko
to see if you current kernel supports them, and also find /lib/modules -name ip_set.ko
to see if any of the installed kernel supports them.
If you need more help, you would have to tell us:
- What version of CentOS you are using
- What kernel you are running
- How you installed fail2ban (from the EPEL repository or manually?)
I should also note that the version of ipset reported in your question (6.19) is what CentOS 7 comes with, so if you are using the original kernel and fail2ban from the EPEL repo everything should just work.
CentOS 6.5 also has support for ip sets and fail2ban is available in EPEL for CentOS 6. These should also work fine.
However, if you are running CentOS 5, then you are likely out of luck. You may have some luck building the modules that ipset comes with, but I am not sure the CentOS 5 kernel is supported at all. If you actually managed to pull that off, and later upgraded the kernel, then it is just a matter of rebuilding the modules for the new kernel.
If you check the action.d directory, you will find all firewalld-related actions forgot to put on reload
command after adding the rule to DROP or REJECT the source IPs by fail2ban, reload
is important due to it makes the rules to be accepted by FirewallD.
I suggest you to modify the actions to fit what you need, however, IMHO, FirewallD acts like a manger to control iptables and it's more suitable for workstation than server environment.
Thus, the most efficient way to solve your problem is,
systemctl stop firewalld
systemctl mask firewalld
and enable your iptables.
Best Answer
You should not start the old
iptables
service if you intend to usefirewalld
. Start onlyfirewalld
and remove the other service.The scripts comprising the old
iptables
service are in the RPM package namediptables-services
, so you can remove this package from your system, and afterward use only firewalld.(But do not remove the RPM package named
iptables
. You still need this as it contains theiptables
command line tool.)I recommend you set your fail2ban
banaction
tofirewallcmd-ipset
, as this gives the highest performance with very large lists of IP addresses.