Chains INPUT vs DOCKER-USER - a way to cohabit

[gauth-fr]

Behaviour

This is more a feedback than a bug report, but, if i'm right, maybe the doc should be updated (if im right only :) )

In the doc, you explain that the chains INPUT & DOCKER-USER cannot cohabit together in the same instance, and that we should use 2 different instances.

In my case, since it was breaking my b*** to have 2 instances, i digged a bit and dit the following.

• Deploy the container using default input chain
• for each jail dealing with containers (in my case they are traefik jails), I set it like the following:

`[traefik-auth]
enabled = true
logpath = %(traefik_access_log)s
port = http,https
action = %(action_)s[chain="DOCKER-USER"]
findtime = 600
maxretry = 3
bantime=1w

[traefik-botsearch]
enabled = true
logpath = %(traefik_access_log)s
maxretry = 1
bantime=4w
port = http,https
action = %(action_)s[chain="DOCKER-USER"]
...`

So basically, i'm using the default action (in this case iptables-multiport) but asking to use the chain DOCKER-USER for those jails.
You could of course, swap the 2 chains, setting DOCKER-USER as default and use INPUT when need (which would actually make more sense in my case as i have more docker jails than input jails.. but well, it's working)

So far, it's working ok.

Again, thank you for your great images!

Steps to reproduce this issue

Expected behaviour

Tell me what should happen

Actual behaviour

Tell me what happens instead

Configuration

• Docker version (type docker --version) :
• Docker compose version if applicable (type docker-compose --version) :
• Platform (Debian 9, Ubuntu 18.04, ...) :
• System info (type uname -a) :
• Include all necessary configuration files : docker-compose.yml, .env, ...

Docker info

> Output of command `docker info`

Logs

> Container logs (set LOG_LEVEL to debug if applicable)

[alexschomb]

Thanks for sharing. Just an untested idea: Wouldn't this work as well?

# jail.d/traefik.conf
[traefik-auth]
enabled = true
logpath = %(traefik_access_log)s
port = http,https
chain = DOCKER-USER
findtime = 600
maxretry = 3
bantime=1w

[traefik-botsearch]
enabled = true
logpath = %(traefik_access_log)s
maxretry = 1
bantime=4w
port = http,https
chain = DOCKER-USER

Actually, chain = DOCKER-USER is the default in my action.d/iptables-common.conf already. That would mean that you'd only need to set chain = INPUT for host services like sshd. But how about the networking then? I suppose network_mode: host still applies?

[gauth-fr]

Well, i've just tried with chain = DOCKER-USER and it worked, so it's even simpler thanks!

Regarding the network mode, it doesn't change whatever is the default chain.

if it helps here is my docker-compose, which works with input and docker-user, and is just using what in the example folder:

services:
  fail2ban-input:
    image: crazymax/fail2ban:latest
    container_name: fail2ban-input
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - "...config/fail2ban:/data"
      - "/var/log:/var/log:ro"
    environment:
      - "F2B_IPTABLES_CHAIN=INPUT"      
      - "TZ=Europe/Paris"
      - "F2B_LOG_TARGET=/data/fail2ban.log"
      - "F2B_LOG_LEVEL=INFO"
      - "F2B_DB_PURGE_AGE=10w"
    restart: always```

[alexschomb]

Great! Thanks for your feedback 👍

[crazy-max]

Hi guys, I will reconsider the implementation and probably remove the F2B_IPTABLES_CHAIN var. Will also fix #17

[crazy-max]

@alexschomb @gauth-fr F2B_IPTABLES_CHAIN env var has been removed and README updated to use chain = <name> def.