mykey/Fail2Ban-Dashboard---NPM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: add NET_ADMIN/NET_RAW caps; fix ban rules for direct traffic

Browse Source 
- docker-compose: add cap_add NET_ADMIN + NET_RAW — without these,
  iptables commands inside the container silently fail (permission denied)
  so bans were recorded in fail2ban but no rules were ever applied
- docker-npm.conf: add DOCKER-USER source IP rule so direct connections
  to NPM are blocked (INPUT rule only covers host services, not containers)
  xt_string rule now has || true so missing module doesn't abort the ban

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
gitea
2026-02-20 17:00:57 +00:00
parent ec97c06d07
commit 4f0129053c
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docker-compose.yml
View File

@@ -21,6 +21,9 @@ services:
depends_on:
- npm
network_mode: host
cap_add:
- NET_ADMIN
- NET_RAW
environment:
PORT: "4000"
SUBNETS_TO_IGNORE: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"

15
fail2ban/action.d/docker-npm.conf
View File

@@ -1,12 +1,15 @@
[Definition]
# Drops traffic two ways:
# - DOCKER-USER: matches X-Forwarded-For header in forwarded packets (CDN/proxy setups)
# - INPUT: drops direct connections at the host level
# Requires xt_string kernel module on the host (modprobe xt_string).
# Three rules per ban:
# 1. DOCKER-USER source: blocks direct connections from the banned IP to any container
# 2. DOCKER-USER xt_string: blocks CDN-proxied requests where real IP is in X-Forwarded-For
# (requires xt_string kernel module on the host: modprobe xt_string)
# 3. INPUT: blocks direct connections to host services
actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
actionban = iptables -I DOCKER-USER -s <ip> -j DROP
iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
iptables -A INPUT -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP || true
actionunban = iptables -D DOCKER-USER -s <ip> -j DROP || true
iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
iptables -D INPUT -s <ip> -j DROP || true