docker-fail2ban-synology icon indicating copy to clipboard operation
docker-fail2ban-synology copied to clipboard

Published 20 hours ago verified publisher icon sosandroid

Client IP banned but docker still accessible

Open Techal62 opened this issue 1 year ago • 1 comments

I installed fail2ban on my synology in a docker, the IP detection works correctly however despite the banning rules being created on my synology I still have access to my docker which should be blocked

[jellyfin]

enabled = true port = 80,443 protocol = tcp filter = jellyfin maxretry = 3 bantime = 180 findtime = 43200 logpath = /config/log/jellyfin/*.log

#action = iptables-allports[name=jellyfin, chain=INPUT] => blocks access to NAS but not to docker action = iptables-allports[name=jellyfin, chain=DOCKER-USER]

Techal62 avatar Sep 17 '24 05:09 Techal62

I had the same issue. The IP is added to iptables but it's not respected and 192.168.1.25 can still access jellyfin.

I fixed it by:

Changing the jellyfin container's network to: network_mode: host

  • Before I was using a macvlan and i couldn't get DOCKER-USER to work with chain FORWARD in iptables.

This meant updating 'action' in /data/jail.d/jellyfin.local to:

action = iptables-allports[name=jellyfin, chain=INPUT]
  • Synology uses chain INPUT when a container is using the host network. Which meant banning the IP address for a LAN IP actually did block (DROP) the packets.

My configs for anyone interested:

/data/jail.d/jellyfin.local

[jellyfin]

bantime = 2592000
findtime = 86400
maxretry = 3
backend = auto
enabled = true
filter = jellyfin
logpath = /jellyfin_logs/log_*.log
action = iptables-allports[name=jellyfin, chain=INPUT]

jellyfin docker compose:

version: '3.5'
services:
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    environment:
      - PUID=yourPUIDHere
      - PGID=yourGUIDHere
      - TZ=America/Chicago
    volumes:
      - '/volume1/docker/jellyfin/library:/config'
      - '/volume1/data/media:/media:ro'
    network_mode: host
    restart: unless-stopped

fail2ban docker compose:

version: '3'
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    environment:
      F2B_DB_PURGE_AGE: '30d' # optional
      F2B_LOG_TARGET: '/data/fail2ban.log' # optional
      TZ: 'America/Chicago'
    volumes:
    - '/volume1/docker/fail2ban/data:/data'
    - '/volume1/docker/jellyfin/library/log:/jellyfin_logs:ro'
    privileged: true
    cap_add:
        - NET_ADMIN
        - NET_RAW
    network_mode: 'host'
    restart: unless-stopped

iptables with a successful ban:

$ sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-jellyfin  tcp  --  0.0.0.0/0            0.0.0.0/0
...
Chain f2b-jellyfin (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.25          0.0.0.0/0 <--- 3 failed login attempts
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Moreless91 avatar Nov 15 '24 17:11 Moreless91