From a34e04407c58606899a68512cf7f259d91dd98c6 Mon Sep 17 00:00:00 2001
From: Dinko Korunic <kreator@carnet.hr>
Date: Tue, 14 Apr 2009 20:10:05 +0200
Subject: [PATCH] - Update paketa za Lenny - ako je aktivan Fail2Ban, makni
 SSH netfilter bruteforce zastitu - LSB-compatibilan init
 (Lenny-required) - prebaci iptables-cn init u S10 / K90

---
 README.CARNet    |    2 +-
 debian/changelog |    7 +++++++
 debian/control   |    4 ++--
 debian/init      |   11 +++++++++++
 debian/postinst  |   37 ++++++++++++++++++++++++++++---------
 debian/rules     |    2 +-
 6 files changed, 50 insertions(+), 13 deletions(-)

diff --git a/README.CARNet b/README.CARNet
index ef60769..900cfe3 100644
--- a/README.CARNet
+++ b/README.CARNet
@@ -4,4 +4,4 @@ iptables-cn
 Ovaj paket donosi System V init skriptu za iptables paket, kao i set nekih
 prirucnih primjera za koristenje Netfilter paketa.
 
- -- Dinko Korunic <kreator@carnet.hr> at  Sun,  9 Sep 2007 15:51:32 +0200
+ -- Dinko Korunic <kreator@carnet.hr> at  Tue, 14 Apr 2009 19:31:51 +0200
diff --git a/debian/changelog b/debian/changelog
index b229265..fbb8ac1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+iptables-cn (2:1.4.2-1) stable; urgency=low
+
+  * Upgrade paketa za Lenny
+  * Gasi se SSH bruteforce zastita ako je aktivan Fail2Ban servis
+
+ -- Dinko Korunic <kreator@carnet.hr>  Tue, 14 Apr 2009 19:26:20 +0200
+
 iptables-cn (2:1.2.11-6) stable; urgency=low
 
   * ne izadji s greskom u slucaju da se SSH bruteforce zastita ne uspije
diff --git a/debian/control b/debian/control
index 545ed49..c825e99 100644
--- a/debian/control
+++ b/debian/control
@@ -1,13 +1,13 @@
 Source: iptables-cn
 Section: net
 Priority: optional
-Maintainer: Dinko Korunic <kreator@carnet.hr>
+Maintainer: Dinko Korunic <kreator@CARNet.hr>
 Build-Depends: debhelper (>= 4)
 Standards-Version: 3.7.2
 
 Package: iptables-cn
 Architecture: all
-Depends: iptables (>= 1.2.11-10)
+Depends: iptables (>= 1.4.2-6)
 Conflicts: iptables-cn (<< 2:1.2.11-4)
 Description: Linux kernel 2.4+ iptables administration tools
  netfilter and iptables provide a Linux kernel framework for
diff --git a/debian/init b/debian/init
index 822f8fa..2db1368 100755
--- a/debian/init
+++ b/debian/init
@@ -1,5 +1,16 @@
 #!/bin/sh
 
+### BEGIN INIT INFO
+# Provides:          iptables
+# Required-Start:    $local_fs $remote_fs
+# Required-Stop:     $local_fs $remote_fs
+# Should-Start:      $syslog
+# Should-Stop:       $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start or stop the iptables.
+### END INIT INFO
+
 set -e
 
 # Q: How do I get started?
diff --git a/debian/postinst b/debian/postinst
index 0fe9d74..6a57a0d 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -41,17 +41,36 @@ if [ -e /etc/default/iptables ]; then
     mv /etc/default/iptables /etc/default/iptables-cn
 fi
 
-# check if there is any default netfilter policy and install default SSH
-# REJECT recent if there is none..
-# also, save current set of rules into active and inactive configuration
-if [ ! -e /var/lib/iptables/active ]; then
-    if ! iptables-save | grep '^-' >/dev/null; then
-        echo "CN: Netfilter rules empty: importing SSH bruteforce rules"
-        /usr/share/doc/iptables-cn/examples/ssh-bruteforce \
-            1>/dev/null 2>&1 || true
-    fi
+# check to see if fail2ban is installed
+check=(fail2ban fail2ban-cn)
+check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
+if [ "x$check" != "x" ]; then
+    echo "CN: Detected Fail2Ban installation, will remove SSH bruteforce rules by default"
+    iptables -D SSH_Brute_Force -m recent ! --rcheck --seconds 90 \
+        --hitcount 3 --name SSH --rsource \
+        -j RETURN >/dev/null 2>&1 || true
+    iptables -D SSH_Brute_Force -p tcp -j REJECT \
+        --reject-with icmp-port-unreachable >/dev/null 2>&1 || true
+    iptables -D INPUT -p tcp -m tcp --dport 22 -m state \
+        --state NEW -m recent --set --name SSH --rsource \
+        -j SSH_Brute_Force >/dev/null 2>&1 || true
+    iptables -X SSH_Brute_Force >/dev/null 2>&1 || true
+
     echo "CN: Saving current Netfilter rules to /var/lib/iptables/active"
     iptables-save > /var/lib/iptables/active
+else
+    # check if there is any default netfilter policy and install default SSH
+    # REJECT recent if there is none..
+    # also, save current set of rules into active and inactive configuration
+    if [ ! -e /var/lib/iptables/active ]; then
+        if ! iptables-save | grep '^-' >/dev/null; then
+            echo "CN: Netfilter rules empty: importing SSH bruteforce rules"
+            /usr/share/doc/iptables-cn/examples/ssh-bruteforce \
+                1>/dev/null 2>&1 || true
+        fi
+        echo "CN: Saving current Netfilter rules to /var/lib/iptables/active"
+        iptables-save > /var/lib/iptables/active
+    fi
 fi
 
 # create inactive
diff --git a/debian/rules b/debian/rules
index 4e3c6e9..fed7a36 100755
--- a/debian/rules
+++ b/debian/rules
@@ -50,7 +50,7 @@ binary-indep: build install
 #	dh_installcatalogs
 #	dh_installpam
 #	dh_installmime
-	dh_installinit
+	dh_installinit -- defaults 10 90
 #	dh_installcron
 #	dh_installinfo
 #	dh_undocumented
-- 
1.7.10.4