Hosts running Docker with the default Debian/Ubuntu iptables use the
nf_tables backend (iptables-nft). Inserting rules via iptables-legacy
created them in a separate, unreferenced table — bans were recorded in
fail2ban but packets were never dropped.
Switching action commands to iptables-nft writes into the same
DOCKER-USER chain that Docker manages, so bans take effect immediately.
Also reverts the update-alternatives override from the Dockerfile since
it is no longer needed (and generated noisy warnings).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- docker-compose: add cap_add NET_ADMIN + NET_RAW — without these,
iptables commands inside the container silently fail (permission denied)
so bans were recorded in fail2ban but no rules were ever applied
- docker-npm.conf: add DOCKER-USER source IP rule so direct connections
to NPM are blocked (INPUT rule only covers host services, not containers)
xt_string rule now has || true so missing module doesn't abort the ban
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove telegram_notif.sh and all Telegram references
- Remove webhook.conf fail2ban action (dashboard webhook stays)
- docker-npm.conf: iptables ban/unban only, no lifecycle hooks
- Merge docker-compose.cloudflare.yml into docker-compose.yml
CF_EMAIL/CF_APIKEY always present — fill in to enable WAF banning
- Remove TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID from compose
- Drop .env.example dependency — all config inline in compose file
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string
X-Forwarded-For matching + INPUT chain) matching user's working setup
- Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable)
- Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file
- Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml
- entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection,
telegram_notif.sh deployment to persistent volume on first run
- Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write
- Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars)
- Include Nginx Proxy Manager in both compose files with shared log bind mount
- Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction)
- Add DATA_DIR, Telegram, CF API key fields to .env.example
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
