Hello, I'm running Fail2ban on Unraid inside a Docker container (with --network host). There are various other containers (e.g. nginx proxy manager, running in custom network br0 or jellyfin running in custom network dnet). Fail2ban successfully adds rules to the host's iptables-legacy, but access to my Jellyfin container is still possible from banned IPs. The external IPs are redirected from npm and can be seen in the access logs of jellyfin.
Host: Unraid (iptables-legacy) Setup: Docker with several containers, Jellyfin exposed with Fail2ban: running as Docker container with --cap-add=NET_ADMIN --cap-add=NET_RAW, network mode host Action: iptables-allports[name=jellyfin, chain=INPUT, iptables=iptables-legacy] Rules are definitely inserted, but I think my iptables is messed up. I already tried chain=DOCKER-USER or chain=FORWARD etc. Attached the table after a ban: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-jellyfin tcp -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination f2b-jellyfin all -- anywhere anywhere DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere WIREGUARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (3 references) target prot opt source destination ACCEPT tcp -- anywhere 172.20.0.2 tcp dpt:8000 ACCEPT tcp -- anywhere 172.20.0.3 tcp dpt:5055 ACCEPT tcp -- anywhere 172.20.0.2 tcp dpt:8080 ACCEPT tcp -- anywhere 172.20.0.2 tcp dpt:8888 ACCEPT tcp -- anywhere 172.20.0.5 tcp dpt:7878 ACCEPT tcp -- anywhere 172.20.0.6 tcp dpt:8989 ACCEPT tcp -- anywhere 172.20.0.7 tcp dpt:5005 ACCEPT tcp -- anywhere 172.20.0.7 tcp dpt:5006 ACCEPT tcp -- anywhere 172.20.0.32 tcp dpt:3000 ACCEPT tcp -- anywhere 172.20.0.32 tcp dpt:8080 ACCEPT tcp -- anywhere 172.20.0.31 tcp dpt:commplex-main ACCEPT udp -- anywhere 172.20.0.4 udp dpt:1900 ACCEPT udp -- anywhere 172.20.0.4 udp dpt:7359 ACCEPT tcp -- anywhere 172.20.0.4 tcp dpt:8096 ACCEPT tcp -- anywhere 172.20.0.4 tcp dpt:8920 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (3 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain WIREGUARD (1 references) target prot opt source destination Chain f2b-jellyfin (2 references) target prot opt source destination REJECT all -- tmo-125-252.customers.d1-online.com anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Thanks, Hans
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
