Fail2ban can use legacy iptables

On some appliance (e.g. QNAP NAS') nftables n docker is not available. Thsi commit adds FAIL2BAN_LEGACY_IPTABLES environment variable to allow configuring fail2ban to use iptables-legacy.
docker-mailserver · Jun 26, 2022 · 25e901e · 25e901e
1 parent 4cf3100
commit 25e901e
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -55,7 +55,7 @@ RUN \
   dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-pop3d \
   dovecot-sieve dovecot-solr dumb-init \
   # E - O
-  ed fetchmail file gamin gnupg gzip iproute2 \
+  ed fetchmail file gamin gnupg gzip iproute2 iptables \
   locales logwatch lhasa libdate-manip-perl libldap-common liblz4-tool \
   libmail-spf-perl libnet-dns-perl libsasl2-modules lrzip lzop \
   netcat-openbsd nftables nomarch opendkim opendkim-tools opendmarc \
@@ -78,6 +78,9 @@ RUN \
     echo "ERROR: Wrong GPG fingerprint!" >&2; exit 1; fi && \
   dpkg -i fail2ban.deb 2>&1 && \
   rm fail2ban.deb fail2ban.deb.asc && \
+  # allow legacy iptables to be configured via FAIL2BAN_LEGACY_IPTABLES
+  update-alternatives --set iptables /usr/sbin/iptables-legacy && \
+  update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy && \
   # cleanup
   apt-get -qq autoremove && \
   apt-get -qq autoclean && \

diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
@@ -112,6 +112,14 @@ Otherwise, `nftables` won't be able to ban IPs.
 - reject => reject packet (send ICMP unreachable)
 FAIL2BAN_BLOCKTYPE=drop
 
+##### FAIL2BAN_LEGACY_IPTABLES
+
+Enable legacy iptables firewall. Useful when docker is running on some type of appliance (e.g. QNAP NAS)
+
+- **0**   => use nftables
+- 1 => use iptables-legacy
+FAIL2BAN_LEGACY_IPTABLES=0
+
 ##### SMTP_ONLY
 
 - **empty** => all daemons start

diff --git a/mailserver.env b/mailserver.env
@@ -126,6 +126,11 @@ ENABLE_FAIL2BAN=0
 # reject => reject packet (send ICMP unreachable)
 FAIL2BAN_BLOCKTYPE=drop
 
+# Fail2Ban use legacy iptables
+# **0**   => use nftables
+# 1 => use iptables-legacy
+FAIL2BAN_LEGACY_IPTABLES=0
+
 # 1 => Enables Managesieve on port 4190
 # empty => disables Managesieve
 ENABLE_MANAGESIEVE=

diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh
@@ -1070,6 +1070,11 @@ function _setup_fail2ban
     echo -e '[Init]\nblocktype = drop' >/etc/fail2ban/action.d/nftables-common.local
   fi
 
+  if [[ ${FAIL2BAN_LEGACY_IPTABLES} -eq 1 ]]
+  then
+    sed -i 's/banaction = nftables-allports/banaction = iptables-allports/' /etc/fail2ban/jail.local
+  fi
+
   echo '[Definition]' >/etc/fail2ban/filter.d/custom.conf
 }