In case you want to ban IP addresses based on Suricata fast.log, here is the filter you need:
[INCLUDES]
before = common.conf
[DEFAULT]
_daemon = suricata
[Definition]
datepattern = ^%%m/%%d/%%Y-%%H:%%M:%%S
failregex = <HOST>:[0-9]* ->
ignoreregex =
In the jail configuration, I suggest you change the default blocktype from REJECT to DROP.
Edit 2023-03-24: you may want to use the action iptables-ipset-proto6-allports which leverages ipset. It will make your iptables rules much more readable and according to some sources, faster. Just edit your jail.conf and replace the default banaction_allports entry with iptables-ipset-proto6-allports , or explicitly mention iptables-ipset-proto6-allports in the jail configuration of suricata, like so:
[suricata]
enabled = true
filter = suricata
logpath = /var/log/suricata/fast.log
findtime = 3h
action = iptables-ipset-proto6-allports
If you want to match input and forwarding traffic, you can have multiple actions. However, you need to name them differently like so:
[suricata]
enabled = true
filter = suricata
logpath = /var/log/suricata/fast.log
findtime = 3h
action = %(banaction_allports)s[actname="suricata_i", chain="INPUT"]
%(banaction_allports)s[actname="suricata_f", chain="FORWARD"]
Edit 2023-03-24: initial text, I prefer using ipset to the following.
You should also create a custom action to apply to all protocols and ports:
[INCLUDES]
before = iptables-common.conf
[Definition]
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -j f2b-<name>
actionstop = <iptables> -D <chain> -j f2b-<name>
<actionflush>
<iptables> -X f2b-<name>
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
You should now be all set to block all the IP addresses that Suricata finds.
Enjoy.