Use the same filter_chain (action?) for two different chains (different ports)

[jobst]

I have two chains - need this to (dis)allow different ip addresses/IP blocks/countries

# chain for smtp
$IPTABLESBIN $DEBUG -N chain_smtp
# chain for sasl
$IPTABLESBIN $DEBUG -N chain_sasl

I want to be able have fail2ban use the same chain to reject incoming connections.
In jail.local I have

[sendmail-auth]
enabled  = true
chain    = chain_sasl
action = iptables-multiport[actname=sendmail-auth-sasl, name=sendmail-auth, port="465", protocol=tcp, chain=chain_sasl]
         iptables-multiport[actname=sendmail-auth-smtp, name=sendmail-auth, port="25",  protocol=tcp, chain=chain_smtp]

While this works perfectly (f2b-sendmail-auth inserted as first item in both chains) I end up with two ip addresses added to the "f2b-sendmail-auth" chain everytime a new ip address is blocked.

How can I prevent this?

thanks

[sebres]

I have two chains - need this to (dis)allow different ip addresses/IP blocks/countries

OK. But why you need 2 chains in fail2ban, if you add every IP to both?..

two ip addresses added to the "f2b-sendmail-auth" chain everytime a new ip address is blocked.
How can I prevent this?

Two actions (also if the chain is the same) would cause that actionban will be executed 2 times.

1. Either you would need to write your own clone of iptables-multiport action (which adds the chain f2b-sendmail-auth to multiple target chains in cycle) so you would use single action with something like this:

[sendmail-auth]
chain    = chain_sasl,chain_smtp
banaction = my-iptables-multiport

and the action would contain something like that:

actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              for chain in $(echo '<chain>' | sed 's/,/ /g'); do
                <iptables> -I "$chain" -p <protocol> -m multiport --dports <port> -j f2b-<name>
              done

(and same for actionstop).

2. Or create the chain f2b-sendmail-auth by yourself, add it to chain_sasl and chain_smtp and suppress the create in action:

[sendmail-auth]
banaction = iptables-multiport[actionstart=""]

3. Or try to do some nesting in your iptables, so everything added in chain_smtp is included in chain_sasl or vice versa (and use this chain as target chain for single fail2ban action).