Running fail2ban on the host, monitoring docker containers

[flixman]

Hi everybody. I am trying to get fail2ban running on a server, monitoring the logs produced by a number of containers. I am familiar with the configuration to monitor non containerized processes, but docker uses other chains to process the packets. Is there any documentation / suggestion on how to build the action for this case? I am running nft through firewalld.

[sebres]

1. Take a look at https://github.com/crazy-max/docker-fail2ban
2. The chain or hook can be supplied to the action as parameter, e. g. to add jail chain to DOCKER-USER:

banaction = iptables-ipset[type=multiport, chain=DOCKER-USER]
# or
banaction = nftables[type=multiport, chain_hook=DOCKER-USER]

3. everything, inclusive chain (hook), depends also on net-filter config for the host and containers (kind of prerouting/prefiltering, whitelisting, priorities etc).

[flixman]

I am trying it right now: thank you very much!

Update: Something is still off. I am getting the following error:

ERROR 7f42d3e72c10 -- exec: nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook DOCKER-USER priority -1 \; \}
nft add set inet f2b-table addr-set-lists \{ type ipv4_addr\; \}
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'https' | sed s/:/-/g) \} ip saddr @addr-set-lists drop
done
ERROR 7f42d3e72c10 -- stderr: 'Error: unknown chain hook'
ERROR 7f42d3e72c10 -- stderr: 'add chain inet f2b-table f2b-chain { type filter hook DOCKER-USER priority -1 ; }'
ERROR 7f42d3e72c10 -- stderr: '                                                      ^^^^^^^^^^^'
ERROR 7f42d3e72c10 -- stderr: 'Error: Could not process rule: No such file or directory'
ERROR 7f42d3e72c10 -- stderr: 'add rule inet f2b-table f2b-chain tcp dport { https } ip saddr @addr-set-lists drop'
ERROR 7f42d3e72c10 -- stderr: '                        ^^^^^^^^^'
ERROR 7f42d3e72c10 -- returned 1

However, in the table ip filter I do have a DOCKER-USER chain:

table ip filter {
        chain DOCKER-USER {
                meta l4proto tcp ip saddr != 192.168.178.0/24 ct direction original ct original proto-dst 8080 counter packets 5170 bytes 242334 drop
                meta l4proto tcp ip saddr != 192.168.178.0/24 ct direction original ct original proto-dst 5433 counter packets 145 bytes 6504 drop
                counter packets 29611884 bytes 4828987103 return
        }

Do you have any idea on what might be wrong?