Fail2Ban not blocking Ips with chain Input and failing if chain docker user is used

[mastan30]

Hi @crazy-max I am not sure whether this is the right place to post this but I am trying to resolve the issue for fail2ban docker container still allowing banned IP's. I tried setting Chain to DOCKER-USER but it's failing with the following error:

2021-10-25 21:52:14,022 fail2ban.utils          [1]: ERROR   b64f6650 -- exec: iptables -w -N f2b-npm-docker
iptables -w -A f2b-npm-docker -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
2021-10-25 21:52:14,023 fail2ban.utils          [1]: ERROR   b64f6650 -- stderr: 'iptables: Chain already exists.'
2021-10-25 21:52:14,023 fail2ban.utils          [1]: ERROR   b64f6650 -- stderr: 'iptables: No chain/target/match by that name.'
2021-10-25 21:52:14,023 fail2ban.utils          [1]: ERROR   b64f6650 -- returned 1
2021-10-25 21:52:14,024 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'npm-docker' action 'iptables-multiport' info 'ActionInfo({'ip': '77.81.98.70', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0xb64d8cd0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0xb64d6070>})': Error starting action Jail('npm-docker')/iptables-multiport: 'Script error'
2021-10-25 21:52:14,682 fail2ban.filter         [1]: INFO    [npm-docker] Found 77.81.98.70 - 2021-10-25 21:52:14

This is my iptables detials in raspberry pi (not of fail2ban docker):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 5019 3594K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 5019 3594K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  767  468K ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    8   416 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
  916  952K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
 5795 2549K ACCEPT     all  --  *      br-8f06c3dc391f  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-8f06c3dc391f  0.0.0.0/0            0.0.0.0/0
 7675  747K ACCEPT     all  --  br-8f06c3dc391f !br-8f06c3dc391f  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-8f06c3dc391f br-8f06c3dc391f  0.0.0.0/0            0.0.0.0/0
43965   23M ACCEPT     all  --  *      br-288ddad3c4ae  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1083 59844 DOCKER     all  --  *      br-288ddad3c4ae  0.0.0.0/0            0.0.0.0/0
22862   17M ACCEPT     all  --  br-288ddad3c4ae !br-288ddad3c4ae  0.0.0.0/0            0.0.0.0/0
   22  1320 ACCEPT     all  --  br-288ddad3c4ae br-288ddad3c4ae  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (3 references)
 pkts bytes target     prot opt in     out     source               destination
    8   416 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8000
   11   540 ACCEPT     tcp  --  !br-288ddad3c4ae br-288ddad3c4ae  0.0.0.0/0            172.18.0.2           tcp dpt:443
    4   208 ACCEPT     tcp  --  !br-288ddad3c4ae br-288ddad3c4ae  0.0.0.0/0            172.18.0.2           tcp dpt:81
    0     0 ACCEPT     tcp  --  !br-288ddad3c4ae br-288ddad3c4ae  0.0.0.0/0            172.18.0.2           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  916  952K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
  184 17672 DOCKER-ISOLATION-STAGE-2  all  --  br-8f06c3dc391f !br-8f06c3dc391f  0.0.0.0/0            0.0.0.0/0
  720  189K DOCKER-ISOLATION-STAGE-2  all  --  br-288ddad3c4ae !br-288ddad3c4ae  0.0.0.0/0            0.0.0.0/0
 5019 3594K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 102K   73M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-8f06c3dc391f  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-288ddad3c4ae  0.0.0.0/0            0.0.0.0/0
 1820 1159K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
# Warning: iptables-legacy tables present, use iptables-legacy to see them

I am running my fail2ban, nginx proxy manager inside docker.

This is my fail2ban configuration :

version: "3.7"
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban_docker
    network_mode: "host"
    environment:
      - TZ=US/Eastern
      - F2B_LOG_TARGET=STDOUT
      - F2B_LOG_LEVEL=INFO
      - F2B_DB_PURGE_AGE=1d
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - "Path/to/fail2ban/data:/data"
      - "Path/to/fail2ban/log/:/var/log/"
      - "Path/to/data/logs:/log/npm/:ro"
      - "Path/to/logs:/log/emby/:ro"
    restart: unless-stopped

This is my jail conf:

[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.0.0/24
chain = INPUT
logpath = /log/npm/default-host_*.log
          /log/npm/proxy-host-*.log
maxretry = 3
bantime  = 84600
findtime = 60

Can some please help me with this