"iptables: No chain/target/match by that name"

[psidex]

Behaviour

Fail2ban tries to ban an IP but the banning does not take affect on the host machine and a "Script error" is seen in the container log; "iptables: No chain/target/match by that name".

Steps to reproduce this issue

I deploy the container using the exact command listed in the readme:

sudo docker run -d --name fail2ban --restart always \
  --network host \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
  -v $(pwd)/data:/data \
  -v /var/log:/var/log:ro \
  crazymax/fail2ban:latest

I then set up a jail.local file in data/jail.d/, and restart the fail2ban container.

This is the jail:

[DEFAULT]

ignoreip = 127.0.0.0/8
bantime  = 1d
findtime  = 10m
maxretry = 5

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5

I then attempt to SSH into the host machine and use the wrong psasword 5+ times, causing fail2ban to ban my address.

If I connect to the container and run the command fail2ban-client status sshd it shows this output:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     16
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   192.168.0.225

Expected behaviour

When I try to SSH into my host machine with the correct password, I should get immediately rejected.

Actual behaviour

I SSH into the machine as normal and nothing stops my connection.

Configuration

Running on Debian 10

Docker info

Docker version 19.03.5, build 633a0ea838

Logs

2020-02-08 02:58:48,411 fail2ban.actions        [1]: NOTICE  [sshd] Ban 192.168.0.225
2020-02-08 02:58:48,429 fail2ban.utils          [1]: ERROR   7f2f45a329f0 -- exec: iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports ssh -j f2b-sshd
2020-02-08 02:58:48,430 fail2ban.utils          [1]: ERROR   7f2f45a329f0 -- stderr: 'iptables: No chain/target/match by that name.'
2020-02-08 02:58:48,430 fail2ban.utils          [1]: ERROR   7f2f45a329f0 -- returned 1
2020-02-08 02:58:48,430 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip': '192.168.0.225', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f2f45a19dc0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f2f45a184c0>})': Error starting action Jail('sshd')/iptables-multiport: 'Script error'

(further down in the log, after the above message)

2020-02-08 02:58:51,574 fail2ban.filter         [1]: INFO    [sshd] Found 192.168.0.225 - 2020-02-08 02:58:51
2020-02-08 02:58:52,230 fail2ban.actions        [1]: NOTICE  [sshd] 192.168.0.225 already banned

Note

I am running the default version of Docker with no edited settings.

Here is my sudo iptables -L output: https://pastebin.com/uw7mVyPr.

[crazy-max]

@psidex,

Your iptables chain is not the good one for this jail. Please take a look at this example.

[psidex]

@crazy-max

Sorry about that, thanks for the info 👍

[mastan30]

@crazy-max can you please help me here?

I am not sure whether this is the right place to post this but I am trying to resolve the issue for fail2ban docker container still allowing banned IP's. I tried setting Chain to DOCKER-USER but it's failing with the following error:

2021-10-25 21:52:14,022 fail2ban.utils [1]: ERROR b64f6650 -- exec: iptables -w -N f2b-npm-docker
iptables -w -A f2b-npm-docker -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- stderr: 'iptables: Chain already exists.'
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- stderr: 'iptables: No chain/target/match by that name.'
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- returned 1
2021-10-25 21:52:14,024 fail2ban.actions [1]: ERROR Failed to execute ban jail 'npm-docker' action 'iptables-multiport' info 'ActionInfo({'ip': '77.81.98.70', 'family': 'inet4', 'fid': <function Actions.ActionInfo. at 0xb64d8cd0>, 'raw-ticket': <function Actions.ActionInfo. at 0xb64d6070>})': Error starting action Jail('npm-docker')/iptables-multiport: 'Script error'
2021-10-25 21:52:14,682 fail2ban.filter [1]: INFO [npm-docker] Found 77.81.98.70 - 2021-10-25 21:52:14
This is my iptables detials in raspberry pi (not of fail2ban docker):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5019 3594K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
5019 3594K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
767 468K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 416 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
916 952K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
5795 2549K ACCEPT all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
7675 747K ACCEPT all -- br-8f06c3dc391f !br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-8f06c3dc391f br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
43965 23M ACCEPT all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1083 59844 DOCKER all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
22862 17M ACCEPT all -- br-288ddad3c4ae !br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
22 1320 ACCEPT all -- br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain DOCKER (3 references)
pkts bytes target prot opt in out source destination
8 416 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8000
11 540 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:443
4 208 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:81
0 0 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
916 952K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
184 17672 DOCKER-ISOLATION-STAGE-2 all -- br-8f06c3dc391f !br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
720 189K DOCKER-ISOLATION-STAGE-2 all -- br-288ddad3c4ae !br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
5019 3594K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
102K 73M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
1820 1159K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Warning: iptables-legacy tables present, use iptables-legacy to see them

I am running my fail2ban, nginx proxy manager inside docker.

This is my fail2ban configuration :

version: "3.7"
services:
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban_docker
network_mode: "host"
environment:
- TZ=US/Eastern
- F2B_LOG_TARGET=STDOUT
- F2B_LOG_LEVEL=INFO
- F2B_DB_PURGE_AGE=1d
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- "Path/to/fail2ban/data:/data"
- "Path/to/fail2ban/log/:/var/log/"
- "Path/to/data/logs:/log/npm/:ro"
- "Path/to/logs:/log/emby/:ro"
restart: unless-stopped
This is my jail conf:

[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.0.0/24
chain = INPUT
logpath = /log/npm/default-host_.log
/log/npm/proxy-host-.log
maxretry = 3
bantime = 84600
findtime = 60
Can some please help me with this?

[v1-valux]

I'm having similar issues, is there any update?

[mastan30]

@valvanet , I am able to resolve this, You need to check the IPtables chain in order to set the chain, check if your docker containers are associated with DOCKER-USER chain or FORWARD chain or INPUT chain, based on that you need to provide the chain.

[mastan30]

I did the following things to finally able to get fail2ban work for me : NginxProxyManager/nginx-proxy-manager#39 (comment)