erco77
commented
1 month ago Hmm, it looks like the script is creating all the blocks with the chain name "AWS", and it at first looked like it'd be easy to just use iptables -X AWS or iptables --delete-chain AWS to remove them, but I guess there's so many, iptables has a problem removing them:
# iptables -X AWS
iptables: Too many links.What does seem to work to remove all the AWS quickly/efficiently is this:
iptables-save > /tmp/iptables.txt -- save the current ipv4 tables
ip6tables-save > /tmp/ip6tables.txt -- save the current ipv6 tables
sed -i '/AWS/d' /tmp/iptables.txt -- remove all the AWS ip4v entries
sed -i '/AWS/d' /tmp/ip6tables.txt -- remove all the AWS ipv6 entries
iptables-restore < /tmp/iptables.txt -- apply changes with AWS entries removed
ip6tables-restore < /tmp/ip6tables.txt -- apply changes with AWS entries removed..so something like that could probably be added to the script as an 'unban' option flag.
For web admins needing to fix problems with renewing https certs caused by the AWS block, one can just completely clear the firewall using iptables -F and ip6tables -F (in place of the above sed commands), run the recert commands with the firewall cleared (e.g. certbot renew), then use the iptables-restore / ip6tables-restore commands to bring back the firewall config exactly the way it was, which preserves any 'fail2ban' blocks too.
I found after a week or so of blocking AWS, it was preventing https certifications from renewing (letsencrypt.org), causing
certbot renewoperations to fail with "connection refused" when their "multi-perspective" validation checks tried to come in from different locations to verify our webserver, some of which are apparently AWS originated and REJECT'ed.It'd be good if there was a simple option to the script to 'unban' all the AWS chains.