-
-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Will you support nftables? #29
Comments
Hi @cybermcm, we have to wait fail2ban/fail2ban#2254 |
@crazy-max Thanks for your answer, didn't know that. You want me to close this issue or should it stay open in case someone else asks the same question? |
@cybermcm Leave it open for now. I keep you in touch when this feature is implemented. |
This comment has been minimized.
This comment has been minimized.
/sbin` # for a in iptables iptables-save iptables-restore; do ln -sf xtables-nft-multi $a;done I ran the above inside the container, and this allowed bans to work. My host is Debian 10(buster). |
This comment has been minimized.
This comment has been minimized.
This feature is now available. Let me know if you can test it and give me your feedback. |
@crazy-max Thank you for the information. |
@cybermcm I will make some tests too. Keep you in touch. |
Thanks. I tried a few things but didn't get it to work (mainly due to my very basic nftables know-how I think). Question to begin with: With nftables is it still necessary to spin up 2 f2b instances (host and docker)? As far as I understand it shouldn't be necessary any more. Am I right? |
@crazy-max Just wanted to check if you need anything from my side? Can you reproduce my issue? |
I'll tell you when I've got some time |
I spent some time messing with this, and I was able to get this working correctly (as far as I can tell). I have a
This is the same for both my fail2ban-input and fail2ban-docker containers (one for host services, the other for docker containers, respectively). At this point, it seems like the fail2ban-input container was working (it bans SSH correctly). fail2ban-docker needs a bit more setup. In
Now doing
Seems to be working! |
@PhasecoreX I tried your suggestion and can confirm that it works. Thanks for this suggestion! |
You're welcome! I figure the most basic fail2ban configuration by default should be able to block host stuff correctly (which it does). The downsides for the Docker setup is whatever the downsides of using |
Hi,
Fail2ban sees the logging I want to catch (403 errors) and jails the ip-adresses fine:
However the ip-adresses are not banned in nftables rules:
My config is this:
docker-compose is this:
logging is a lot like this:
Howto troubleshoot further? Why doesnt fail2ban block the jailed hosts in nftables on the debian host? |
@hanscees: I'm definitely no expert, I've done some things different but it is working:
see comment #29 (comment) blocking IPs are added to |
I do have the nftables, now I set networking to host. However nothing is blocked. This probably has to do with my nftables setup using table inet. this docker-compose.yml works:
|
My conclusion "nothing is blocked" was wrong. After adding host networking:
notice I added the lines with handle 9, 7 and 11 manually by doing
My issue was that maxretry was on 5 instead of 1 (I expected an immediate ban). After I set maxretry to 1 the bans are immediate as I want them to be. Thanks for the help! nftables tested ok here! |
Seeing as #46 and #17 were closed recently, I decided to revisit this to get nftables working with just one container for both input and forward chains. I think I got it working, and I am really happy with the results. With this setup, Fail2Ban makes one table, but makes 2 chains in it, one for First, make 2 files in the
And that's it. For each of your jails, instead of using
Hope this helps! |
@PhasecoreX That's really nice, thanks for that! I think we can move forward and implement this behavior in this image. |
Hi guyz, It works for me too with nftables-multiport.conf instead of nftables.conf Thank you for your work ! |
Small feedback coming from a different configuration from those already mentioned here. I am under Fedora 32 Server with nftables and I am using Podman as well as SeLinux in Enforcing mode. The container is launched via a systemd service (if some people are interested, I could add my unit). For now, I have not yet set up all my jails but the one for sshd works perfectly and the IPs are correctly banned. |
Hoping someone can help me with my Debian 10 nftables setup. I'm trying to do it the way @PhasecoreX described. Relevant compose: fail2ban:
container_name: fail2ban
hostname: fail2ban
image: crazymax/fail2ban:latest
network_mode: "host"
cap_add:
- "NET_ADMIN"
- "NET_RAW"
volumes:
- "/docker/config/fail2ban:/data"
- "/etc/localtime:/etc/localtime:ro"
- "/var/log/auth.log:/var/log/auth.log:ro"
environment:
- "TZ=America/New_York"
restart: unless-stopped
logging:
driver: json-file
options:
max-file: "3"
max-size: "10M" My
My
My
There are banned IP's by my jail:
But nothing in my iptables:
Any idea where I've gone wrong? |
@goose-ws: your config seems fine. To view your bans try nftable tools, like |
It appears that I don't have
|
Did you update an old installation because then iptables stays. |
I followed the config from @PhasecoreX but can't get nftables blocking anything. Testing off my mobile connection but still getting able to get load services served by Traefik:
$ sudo nft list ruleset
...
table inet f2b-table {
set addr-set-traefik-auth {
type ipv4_addr
elements = { 120.18.36.14 }
}
chain f2b-chain-forward {
type filter hook forward priority filter - 1; policy accept;
tcp dport { 80, 443 } ip saddr @addr-set-traefik-auth reject
}
} |
@calvinbui: Seems correct for me (but I'm no expert at all). Maybe another rule in place which interferes with the F2B rule? |
I can get I tried using the legacy method with Reading the docs, it mentions the
|
figured it out, iptables doesn't work on containers using macvlan. |
I can confirm that. I also have MacVlan installed. I can see in the log that the IP was recognized and should be blocked. However, there is no action. This means that the page can still be accessed for the blocked IP. Does anyone know a solution? |
Same problem here! I have an nginx reveres proxy container with a macvlan network and a docker bridge network before a vaultwarden with only the same bridge network. I got the events in the fail2ban log and also the ban, but I can still access the vaultwarden through the proxy. Any way to fix that?
Running on RP4+ 5.10.92-v8+ #1514 SMP PREEMPT Mon Jan 17 17:39:38 GMT 2022 aarch64 GNU/Linux |
I have the same issue with MACVLAN... Did anyone of you ever fix this? |
Unfortunately no, but I'm switching from npm to traefik now and will block access via CrowdSec for additional security without iptables or nftables. |
I updated alternatives to iptables-legacy to get it working |
Hmm, interesting... |
I don't think @calvinbui is using macvlans, as here the local firewall will not kick in anyway |
I am using macvlan for all my containers, but the fail2ban container is running in host mode. https://github.com/calvinbui/ansible-monorepo/blob/master/fail2ban.yml |
Mh okay. I had fail2ban also in host mode and also tried to switch the alternatives to iptable-legacy, but I am using a raspberrypi 4 with a Raspberry 64Bit OS and somehow there is a problem with ip/nftables on that I have the feeling.. :( |
Hi,
Starting with Debian 10 nftables is the current FW solution. I'm managing my FW rules manually (not Docker integrated) and noticed that your fail2ban container uses iptable rules. Is it possible to enhance nftables support?
The text was updated successfully, but these errors were encountered: