fix: use iptables-nft so rules land in the same table Docker uses

Hosts running Docker with the default Debian/Ubuntu iptables use the nf_tables backend (iptables-nft). Inserting rules via iptables-legacy created them in a separate, unreferenced table — bans were recorded in fail2ban but packets were never dropped. Switching action commands to iptables-nft writes into the same DOCKER-USER chain that Docker manages, so bans take effect immediately. Also reverts the update-alternatives override from the Dockerfile since it is no longer needed (and generated noisy warnings). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 17:29:33 +00:00
parent 04964dd174
commit 6d2ca9ea57
2 changed files with 6 additions and 8 deletions
--- a/fail2ban/action.d/docker-npm.conf
+++ b/fail2ban/action.d/docker-npm.conf
@@ -6,10 +6,10 @@
 #    (requires xt_string kernel module on the host: modprobe xt_string)
 # 3. INPUT: blocks direct connections to host services

-actionban = iptables -I DOCKER-USER -s <ip> -j DROP
-            iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
-            iptables -A INPUT -s <ip> -j DROP
+actionban = iptables-nft -I DOCKER-USER -s <ip> -j DROP
+            iptables-nft -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
+            iptables-nft -A INPUT -s <ip> -j DROP

-actionunban = iptables -D DOCKER-USER -s <ip> -j DROP || true
-              iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
-              iptables -D INPUT -s <ip> -j DROP || true
+actionunban = iptables-nft -D DOCKER-USER -s <ip> -j DROP || true
+              iptables-nft -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
+              iptables-nft -D INPUT -s <ip> -j DROP || true