mykey/Fail2Ban-Dashboard---NPM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: use iptables-nft so rules land in the same table Docker uses

Browse Source 
Hosts running Docker with the default Debian/Ubuntu iptables use the
nf_tables backend (iptables-nft). Inserting rules via iptables-legacy
created them in a separate, unreferenced table — bans were recorded in
fail2ban but packets were never dropped.

Switching action commands to iptables-nft writes into the same
DOCKER-USER chain that Docker manages, so bans take effect immediately.
Also reverts the update-alternatives override from the Dockerfile since
it is no longer needed (and generated noisy warnings).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
gitea
2026-02-20 17:29:33 +00:00
parent 04964dd174
commit 6d2ca9ea57
2 changed files with 6 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@@ -24,8 +24,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
ipset \
curl \
jq \
&& update-alternatives --set iptables /usr/sbin/iptables-legacy \
&& update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy \
&& rm -rf /var/lib/apt/lists/* \
# Remove debian default jail (enables sshd which has no log file in container)
&& rm -f /etc/fail2ban/jail.d/defaults-debian.conf

12
fail2ban/action.d/docker-npm.conf
View File

@@ -6,10 +6,10 @@
# (requires xt_string kernel module on the host: modprobe xt_string)
# 3. INPUT: blocks direct connections to host services
actionban = iptables -I DOCKER-USER -s <ip> -j DROP
iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
iptables -A INPUT -s <ip> -j DROP
actionban = iptables-nft -I DOCKER-USER -s <ip> -j DROP
iptables-nft -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
iptables-nft -A INPUT -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -s <ip> -j DROP || true
iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
iptables -D INPUT -s <ip> -j DROP || true
actionunban = iptables-nft -D DOCKER-USER -s <ip> -j DROP || true
iptables-nft -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
iptables-nft -D INPUT -s <ip> -j DROP || true