Is fail2ban working without firewalld?

do i need firewalld for fail2ban to work?

Can fail2ban block IP's with iptables only?

I've installed iptables-service on a CentOS 8 vps. I use nftables v0.9.3 (Topsy) to restrict/grant access. Firewalld is stopped and not running, but I guess fail2ban needs firewalld to block ip's?

Thanks for any hint or idea about this question.


Solution 1:

You can configure your fail2ban instance to specify which banning action it would use, thereby native net-filters are recommended (so firewalld is not advisable).
Which actions are available is depending on your fail2ban version, e. g. latest 0.10/0.11 have besides to several iptables also nftables action.
If you use nftables, it is also better to ban using nftables action (mostly iptables will just emulate nftables).

Also if your version is older (still does not have it), you can try to copy the latest version of action to /etc/fail2ban/action.d and try it.

To overwrite your defaults, simply set both banaction in default section of your jail.local:

[DEFAULT]
# default type of nftables is multiport: banaction = nftables[type=multiport]
banaction = nftables
banaction_allports = nftables[type=allports]