gitea
6d2ca9ea57
Hosts running Docker with the default Debian/Ubuntu iptables use the nf_tables backend (iptables-nft). Inserting rules via iptables-legacy created them in a separate, unreferenced table — bans were recorded in fail2ban but packets were never dropped. Switching action commands to iptables-nft writes into the same DOCKER-USER chain that Docker manages, so bans take effect immediately. Also reverts the update-alternatives override from the Dockerfile since it is no longer needed (and generated noisy warnings). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
16 lines
821 B
Plaintext
16 lines
821 B
Plaintext
[Definition]
|
|
|
|
# Three rules per ban:
|
|
# 1. DOCKER-USER source: blocks direct connections from the banned IP to any container
|
|
# 2. DOCKER-USER xt_string: blocks CDN-proxied requests where real IP is in X-Forwarded-For
|
|
# (requires xt_string kernel module on the host: modprobe xt_string)
|
|
# 3. INPUT: blocks direct connections to host services
|
|
|
|
actionban = iptables-nft -I DOCKER-USER -s <ip> -j DROP
|
|
iptables-nft -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
|
|
iptables-nft -A INPUT -s <ip> -j DROP
|
|
|
|
actionunban = iptables-nft -D DOCKER-USER -s <ip> -j DROP || true
|
|
iptables-nft -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP 2>/dev/null || true
|
|
iptables-nft -D INPUT -s <ip> -j DROP || true
|