diff --git a/docker-compose.yml b/docker-compose.yml
index d4795dc..1222374 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,6 +21,9 @@ services:
     depends_on:
       - npm
     network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
     environment:
       PORT:              "4000"
       SUBNETS_TO_IGNORE: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
diff --git a/fail2ban/action.d/docker-npm.conf b/fail2ban/action.d/docker-npm.conf
index 7057fea..c933065 100644
--- a/fail2ban/action.d/docker-npm.conf
+++ b/fail2ban/action.d/docker-npm.conf
@@ -1,12 +1,15 @@
 [Definition]
 
-# Drops traffic two ways:
-# - DOCKER-USER: matches X-Forwarded-For header in forwarded packets (CDN/proxy setups)
-# - INPUT: drops direct connections at the host level
-# Requires xt_string kernel module on the host (modprobe xt_string).
+# Three rules per ban:
+# 1. DOCKER-USER source: blocks direct connections from the banned IP to any container
+# 2. DOCKER-USER xt_string: blocks CDN-proxied requests where real IP is in X-Forwarded-For
+#    (requires xt_string kernel module on the host: modprobe xt_string)
+# 3. INPUT: blocks direct connections to host services
 
-actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
+actionban = iptables -I DOCKER-USER -s <ip> -j DROP
+            iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
             iptables -A INPUT -s <ip> -j DROP
 
-actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP || true
+actionunban = iptables -D DOCKER-USER -s <ip> -j DROP || true
+              iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
               iptables -D INPUT -s <ip> -j DROP || true