iptables not blocking only IPv6 IP's on Ubuntu 20.04 with iptables-persistent, IPv4 OK
I have Ubuntu 20.04 VPS (LEMP) and installed iptables-persistent
. In this server, I have installed fail2ban
and configured with CloudFlare
to ban fail2ban banned IP's. Also, I use the CSF. I use a custom SSH port and I configure it via CSF too. In Fail2ban jail.local
action, I use "iptables-allports
".
The problem is when the Fail2ban trigger IPv6 banned action, iptables-persistent not blocking that IPv6 IP's. For an instance, If Fail2ban banned my IPv6, still I can connect to my VPS over SSH or SFTP. But Cloudflare successfully blocked the HTTPS access (port 443 and port 80).
If Fail2ban banned IPv4, that IP successfully blocked by the iptables-persistent (including the custom SSH port).
Any way to correct this IPv6 issue?
Solution 1:
The problem is when the Fail2ban trigger IPv6 banned action, iptables-persistent not blocking that IPv6 IP's.
It does not work so, let alone iptables-persistent
is arranged for totally different reasons, fail2ban does not need it all. And if you use iptables-allports
banaction, fail2ban bans IPv4 addresses using iptables
and IPv6 addresses using ip6tables
.
Cloudflare is another stuff completely (don't try to mix bananas and cucumbers in single issue).
Any way to correct this IPv6 issue?
- Note that IPv6-support is firstly provided in fail2ban >= 0.10 (0.9 does not support it at all).
- Do you see
[jail] Ban <some-ip-v6>
in fail2ban.log? - If you don't, your filter/failregex is not IPv6 capable and does not match the lines. You should find the difference and fix it in failregex. Provide the log excerpt with IPv6 failures and failregex you set in fail2ban for that.
- Do you see some errors in fail2ban.log if IPv6 gets banned?
- Do you see the jails and banned IPv6 entries in output of
ip6tables -nL
?