From 4f0129053c02eee0a13583cede3e330b28caa1b4 Mon Sep 17 00:00:00 2001
From: gitea <gitea@thisisfake.lol>
Date: Fri, 20 Feb 2026 17:00:57 +0000
Subject: [PATCH] fix: add NET_ADMIN/NET_RAW caps; fix ban rules for direct
 traffic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- docker-compose: add cap_add NET_ADMIN + NET_RAW — without these,
  iptables commands inside the container silently fail (permission denied)
  so bans were recorded in fail2ban but no rules were ever applied
- docker-npm.conf: add DOCKER-USER source IP rule so direct connections
  to NPM are blocked (INPUT rule only covers host services, not containers)
  xt_string rule now has || true so missing module doesn't abort the ban

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docker-compose.yml                |  3 +++
 fail2ban/action.d/docker-npm.conf | 15 +++++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index d4795dc..1222374 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,6 +21,9 @@ services:
     depends_on:
       - npm
     network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
     environment:
       PORT:              "4000"
       SUBNETS_TO_IGNORE: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
diff --git a/fail2ban/action.d/docker-npm.conf b/fail2ban/action.d/docker-npm.conf
index 7057fea..c933065 100644
--- a/fail2ban/action.d/docker-npm.conf
+++ b/fail2ban/action.d/docker-npm.conf
@@ -1,12 +1,15 @@
 [Definition]
 
-# Drops traffic two ways:
-# - DOCKER-USER: matches X-Forwarded-For header in forwarded packets (CDN/proxy setups)
-# - INPUT: drops direct connections at the host level
-# Requires xt_string kernel module on the host (modprobe xt_string).
+# Three rules per ban:
+# 1. DOCKER-USER source: blocks direct connections from the banned IP to any container
+# 2. DOCKER-USER xt_string: blocks CDN-proxied requests where real IP is in X-Forwarded-For
+#    (requires xt_string kernel module on the host: modprobe xt_string)
+# 3. INPUT: blocks direct connections to host services
 
-actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
+actionban = iptables -I DOCKER-USER -s <ip> -j DROP
+            iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
             iptables -A INPUT -s <ip> -j DROP
 
-actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP || true
+actionunban = iptables -D DOCKER-USER -s <ip> -j DROP || true
+              iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
               iptables -D INPUT -s <ip> -j DROP || true