@crazy-max

Sorry about that, thanks for the info 👍

from docker-fail2ban.

@psidex,

Your iptables chain is not the good one for this jail. Please take a look at this example.

from docker-fail2ban.

@crazy-max can you please help me here?

I am not sure whether this is the right place to post this but I am trying to resolve the issue for fail2ban docker container still allowing banned IP's. I tried setting Chain to DOCKER-USER but it's failing with the following error:

2021-10-25 21:52:14,022 fail2ban.utils [1]: ERROR b64f6650 -- exec: iptables -w -N f2b-npm-docker
iptables -w -A f2b-npm-docker -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- stderr: 'iptables: Chain already exists.'
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- stderr: 'iptables: No chain/target/match by that name.'
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- returned 1
2021-10-25 21:52:14,024 fail2ban.actions [1]: ERROR Failed to execute ban jail 'npm-docker' action 'iptables-multiport' info 'ActionInfo({'ip': '77.81.98.70', 'family': 'inet4', 'fid': <function Actions.ActionInfo. at 0xb64d8cd0>, 'raw-ticket': <function Actions.ActionInfo. at 0xb64d6070>})': Error starting action Jail('npm-docker')/iptables-multiport: 'Script error'
2021-10-25 21:52:14,682 fail2ban.filter [1]: INFO [npm-docker] Found 77.81.98.70 - 2021-10-25 21:52:14
This is my iptables detials in raspberry pi (not of fail2ban docker):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5019 3594K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
5019 3594K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
767 468K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 416 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
916 952K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
5795 2549K ACCEPT all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
7675 747K ACCEPT all -- br-8f06c3dc391f !br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-8f06c3dc391f br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
43965 23M ACCEPT all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1083 59844 DOCKER all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
22862 17M ACCEPT all -- br-288ddad3c4ae !br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
22 1320 ACCEPT all -- br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain DOCKER (3 references)
pkts bytes target prot opt in out source destination
8 416 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8000
11 540 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:443
4 208 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:81
0 0 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
916 952K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
184 17672 DOCKER-ISOLATION-STAGE-2 all -- br-8f06c3dc391f !br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
720 189K DOCKER-ISOLATION-STAGE-2 all -- br-288ddad3c4ae !br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
5019 3594K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
102K 73M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
1820 1159K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Warning: iptables-legacy tables present, use iptables-legacy to see them

I am running my fail2ban, nginx proxy manager inside docker.

This is my fail2ban configuration :

version: "3.7"
services:
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban_docker
network_mode: "host"
environment:
- TZ=US/Eastern
- F2B_LOG_TARGET=STDOUT
- F2B_LOG_LEVEL=INFO
- F2B_DB_PURGE_AGE=1d
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- "Path/to/fail2ban/data:/data"
- "Path/to/fail2ban/log/:/var/log/"
- "Path/to/data/logs:/log/npm/:ro"
- "Path/to/logs:/log/emby/:ro"
restart: unless-stopped
This is my jail conf:

[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.0.0/24
chain = INPUT
logpath = /log/npm/default-host_.log
/log/npm/proxy-host-.log
maxretry = 3
bantime = 84600
findtime = 60
Can some please help me with this?

from docker-fail2ban.

I'm having similar issues, is there any update?

from docker-fail2ban.

@valvanet , I am able to resolve this, You need to check the IPtables chain in order to set the chain, check if your docker containers are associated with DOCKER-USER chain or FORWARD chain or INPUT chain, based on that you need to provide the chain.

from docker-fail2ban.

I did the following things to finally able to get fail2ban work for me : NginxProxyManager/nginx-proxy-manager#39 (comment)

from docker-fail2ban.