fix: add NET_ADMIN/NET_RAW caps; fix ban rules for direct traffic

- docker-compose: add cap_add NET_ADMIN + NET_RAW — without these,
  iptables commands inside the container silently fail (permission denied)
  so bans were recorded in fail2ban but no rules were ever applied
- docker-npm.conf: add DOCKER-USER source IP rule so direct connections
  to NPM are blocked (INPUT rule only covers host services, not containers)
  xt_string rule now has || true so missing module doesn't abort the ban

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fail2ban/action.d/docker-npm.conf

@@ -1,12 +1,15 @@
 [Definition]
 
-# Drops traffic two ways:
-# - DOCKER-USER: matches X-Forwarded-For header in forwarded packets (CDN/proxy setups)
-# - INPUT: drops direct connections at the host level
-# Requires xt_string kernel module on the host (modprobe xt_string).
+# Three rules per ban:
+# 1. DOCKER-USER source: blocks direct connections from the banned IP to any container
+# 2. DOCKER-USER xt_string: blocks CDN-proxied requests where real IP is in X-Forwarded-For
+#    (requires xt_string kernel module on the host: modprobe xt_string)
+# 3. INPUT: blocks direct connections to host services
 
-actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
+actionban = iptables -I DOCKER-USER -s <ip> -j DROP
+            iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
             iptables -A INPUT -s <ip> -j DROP
 
-actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP || true
+actionunban = iptables -D DOCKER-USER -s <ip> -j DROP || true
+              iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
               iptables -D INPUT -s <ip> -j DROP || true