Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables: Chain already exists + No chain/target/match by that name #76

Closed
schklom opened this issue Oct 22, 2020 · 1 comment
Closed

iptables: Chain already exists + No chain/target/match by that name #76

schklom opened this issue Oct 22, 2020 · 1 comment

Comments

@schklom
Copy link

schklom commented Oct 22, 2020
edited

Behaviour

Fail2Ban container running on a Raspberry Pi 4, failing to properly ban ips.

Steps to reproduce this issue

  1. Implement Basic Auth with Traefik
  2. Set up the logs properly
  3. Turn on [traefik-auth] jail

Expected behaviour

The ban phase works and the iptable action works.

Actual behaviour

The ban phase works, but the action fails for some reason.
It's the same issue as #55, but it was never resolved.

Configuration

  • Docker version (type docker --version) : Docker version 19.03.13, build 4484c46
  • Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.27.3, build unknown
  • Platform (Debian 9, Ubuntu 18.04, ...) : Raspberry Pi OS (previously called Raspbian), Raspbian GNU/Linux 10 (buster), I think based on Debian 10
  • System info (type uname -a) : Linux raspberrypi 5.4.51-v7l+ #1333 SMP Mon Aug 10 16:51:40 BST 2020 armv7l GNU/Linux
  • Include all necessary configuration files : docker-compose.yml, .env, ...
docker-compose.yml 
fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    security_opt:
      - no-new-privileges:true
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ./fail2ban:/data
      - /var/log:/var/log:ro
      - ./traefik/traefik.log:/logextra/traefik.log:ro
    environment:
      - TZ=${TZ}
      - F2B_LOG_TARGET=${FAIL2BAN_F2B_LOG_TARGET}
      - F2B_LOG_LEVEL=${FAIL2BAN_F2B_LOG_LEVEL}
      - F2B_DB_PURGE_AGE=${FAIL2BAN_F2B_DB_PURGE_AGE}
      - SSMTP_HOST=${FAIL2BAN_SSMTP_HOST}
      - SSMTP_PORT=${FAIL2BAN_SSMTP_PORT}
      - SSMTP_HOSTNAME=${FAIL2BAN_SSMTP_HOSTNAME}
      - SSMTP_USER=${FAIL2BAN_SSMTP_USER}
      - SSMTP_PASSWORD=${FAIL2BAN_SSMTP_PASSWORD}
      - SSMTP_TLS=${FAIL2BAN_SSMTP_TLS}
    restart: unless-stopped
.env (relevant info only ^^) 
FAIL2BAN_F2B_LOG_TARGET=STDOUT
FAIL2BAN_F2B_LOG_LEVEL=INFO
FAIL2BAN_F2B_DB_PURGE_AGE=1d
jail.local 
[DEFAULT]
bantime = 1h
maxretry = 3
findtime = 1h
ignoreip = 127.0.0.1/8 ::1
enabled = false
mode = normal
destemail = root@localhost
sender = root@$(hostname -f)
action = %(action_mwl)s
port = 0:65535
banaction = iptables-multiport
jail.d/traefik.local 
[traefik-auth]
enabled  = true
chain    = DOCKER-USER
port     = http,https
filter   = traefik-auth
logpath  = /logextra/traefik.log
### Docker info
Output of command `docker info` 
> Output of command `docker info`
Client:
 Debug Mode: false

Server:
 Containers: 9
  Running: 9
  Paused: 0
  Stopped: 0
 Images: 10
 Server Version: 19.03.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.4.51-v7l+
 Operating System: Raspbian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 7.691GiB
 Name: raspberrypi
 ID: HNQJ:2QLW:NIJP:OCJQ:6RLW:B7TX:EGNG:VBNS:MLKF:76S3:DMWF:CWNU
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No kernel memory TCP limit support
WARNING: No oom kill disable support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
### Logs
Container logs (set LOG_LEVEL to debug if applicable) 
2020-10-22 02:32:30,216 fail2ban.server         [1]: INFO    Starting Fail2ban v0.11.1
2020-10-22 02:32:30,220 fail2ban.observer       [1]: INFO    Observer start...
2020-10-22 02:32:30,225 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2020-10-22 02:32:30,228 fail2ban.jail           [1]: INFO    Creating new jail 'traefik-auth'
2020-10-22 02:32:30,251 fail2ban.jail           [1]: INFO    Jail 'traefik-auth' uses pyinotify {}
2020-10-22 02:32:30,253 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend
2020-10-22 02:32:30,259 fail2ban.filter         [1]: INFO      maxRetry: 5
2020-10-22 02:32:30,260 fail2ban.filter         [1]: INFO      findtime: 600
2020-10-22 02:32:30,260 fail2ban.actions        [1]: INFO      banTime: 600
2020-10-22 02:32:30,261 fail2ban.filter         [1]: INFO      encoding: UTF-8
2020-10-22 02:32:30,262 fail2ban.filter         [1]: INFO    Added logfile: '/logextra/traefik.log' (pos = 0, hash = 550e4202c7074eb9b0faf38a81af86cde593562a)
2020-10-22 02:32:30,732 fail2ban.jail           [1]: INFO    Jail 'traefik-auth' started
Server ready
2020-10-22 05:01:04,088 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:03
2020-10-22 05:01:05,832 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:05
2020-10-22 05:01:07,787 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:07
2020-10-22 05:01:09,397 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:09
2020-10-22 05:01:16,077 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:16
2020-10-22 05:01:16,161 fail2ban.actions        [1]: NOTICE  [traefik-auth] Ban 10.2.0.5
2020-10-22 05:01:16,197 fail2ban.utils          [1]: ERROR   b63d76e0 -- exec: iptables -w -N f2b-traefik-auth
iptables -w -A f2b-traefik-auth -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports http,https -j f2b-traefik-auth
2020-10-22 05:01:16,198 fail2ban.utils          [1]: ERROR   b63d76e0 -- stderr: 'iptables: Chain already exists.'
2020-10-22 05:01:16,199 fail2ban.utils          [1]: ERROR   b63d76e0 -- stderr: 'iptables: No chain/target/match by that name.'
2020-10-22 05:01:16,200 fail2ban.utils          [1]: ERROR   b63d76e0 -- returned 1
2020-10-22 05:01:16,201 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'traefik-auth' action 'iptables-multiport' info 'ActionInfo({'ip': '10.2.0.5', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0xb65ef658>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0xb65ef9b8>})': Error starting action Jail('traefik-auth')/iptables-multiport: 'Script error'
@schklom
Copy link
Author

schklom commented Oct 23, 2020

It turns out I needed to do this https://github.com/crazy-max/docker-fail2ban#use-iptables-tooling-without-nftables-backend

@schklom schklom closed this as completed Oct 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@schklom