docker-fail2ban icon indicating copy to clipboard operation
docker-fail2ban copied to clipboard

Published 20 hours ago verified publisher icon crazy-max

Failure to add ban rule to iptables

Open zsQ8ymRSY8B4owpdCvTRdkz8rQUK opened this issue 3 years ago • 7 comments

Does anybody know why I might be having this error? (taken from fail2ban.log):

2022-01-17 18:11:30,892 fail2ban.jail           [1]: INFO    Jail 'authelia' started
2022-01-17 18:11:31,092 fail2ban.actions        [1]: NOTICE  [authelia] Restore Ban 198.54.130.86
2022-01-17 18:11:31,101 fail2ban.utils          [1]: ERROR   7f8ea4dd1ed0 -- exec: iptables -w -N f2b-authelia
iptables -w -A f2b-authelia -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports http,https,9091 -j f2b-authelia
2022-01-17 18:11:31,101 fail2ban.utils          [1]: ERROR   7f8ea4dd1ed0 -- stderr: 'iptables: Chain already exists.'
2022-01-17 18:11:31,101 fail2ban.utils          [1]: ERROR   7f8ea4dd1ed0 -- stderr: 'iptables: No chain/target/match by that name.'
2022-01-17 18:11:31,101 fail2ban.utils          [1]: ERROR   7f8ea4dd1ed0 -- returned 1
2022-01-17 18:11:31,101 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'authelia' action 'iptables-multiport' info 'ActionInfo({'ip': '198.54.130.86', 'family': 'inet4', 'fid': <funct>

If my jail.conf is set to chain=INPUT, I get no errors but the ban doesn't work because docker is bypassing INPUT chain. But if I set chain=DOCKER-USER I get those errors.

zsQ8ymRSY8B4owpdCvTRdkz8rQUK avatar Jan 17 '22 23:01 zsQ8ymRSY8B4owpdCvTRdkz8rQUK

I have the same issues when using the chain = DOCKER-USER. @zsQ8ymRSY8B4owpdCvTRdkz8rQUK did you solve this issue?

mehrad-rafigh avatar Mar 02 '22 08:03 mehrad-rafigh

The official documentation suggests to use the DOCKER-USER chain. However, the DOCKER-USER chain is not visible from inside the container (s. output of iptables -nvL in #108). As a result, the examples shown in the documentation are not working. I am using Docker 20.10.14.

QuickJack avatar Apr 06 '22 11:04 QuickJack

same issue.

tanpengsccd avatar Jun 13 '22 18:06 tanpengsccd

It works for me using the FORWARD chain. I am using the latest version of Docker.

The documentation and examples should be updated accordingly.

QuickJack avatar Jun 13 '22 19:06 QuickJack

same issue, above solution works for me too

rachelf42 avatar Oct 09 '22 06:10 rachelf42

Experiencing same issue even though I have the capabilities flags enabled so that the container should be able to access the host's firewall rules:

    privileged: true
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW

According to documentation NET_ADMIN should get us the capability to modify firewall rules within the host namespace. However, even though I can see the host's network interfaces from inside the container, iptables still appears to be showing a completely isolated separate set of rules.

One thing I noticed is that my host appears to be using the newer "nf_tables" variant:

host# iptables --version
iptables v1.8.7 (nf_tables)

While the fail2ban container appears to be using the "legacy" variant:

container:/# iptables --version
iptables v1.8.9 (legacy)

Could this be the cause of the disparity?

robross0606 avatar Dec 27 '23 18:12 robross0606

Guess I missed this...

robross0606 avatar Dec 27 '23 18:12 robross0606