Fail2ban on CentOS 7 with Docker-powered Traefik ban OK without iptables rule addition

configuration fail2ban centos docker-swarm

So why my banned IP can still reach the target website?

There may be 3 reasons for that:

  1. your firewalld backend (iptables?) is unsuitable to handle this, see https://github.com/fail2ban/fail2ban/issues/1609#issuecomment-303085942 (or https://github.com/firewalld/firewalld/issues/44#issuecomment-408211978) for details. Shortly, new nftables backend of firewalld can handle this properly, so you may need to switch to this, or ...
    This may also lead us to next two reasons (former is more related than the later):

  2. if your network sub-system has some white-listing rules (and I guess so), for instance conntrack rules bypassing already established connections before the chains of fail2ban, then adding the rules to fail2ban tables, rejecting the IP, would not affect this established connections (e. g. in case of keep-alive), only new connections will be rejected then... in this case either ensure to reject connection in web-server after auth-failures, or reorder the chains (chains of fail2ban before the white-listing rules), or kill the connection with extra command in actionban, e.g. ss -K dst "[<ip>]" or conntrack -D -s <ip>, etc. See https://github.com/fail2ban/fail2ban/pull/3018/commits/8f6a8df3a45395620e434fd15b4ede694a1d00aa (or https://github.com/fail2ban/fail2ban/commit/bbfff1828061514e48395a5dbc5c1f9f81625e82) for similar issue with ufw;

  3. because it is dockerized, you have probably to define chain = DOCKER-USER or similar, just action firewallcmd-rich-rules is not suitable for that (don't have parameter chain at all)... Use another banning action (e.g. native net-filters like iptables/ipset or nftables) supporting that.

Anyway you have to check how the incoming traffic (inclusive established) reaches the resulting chains/tables fail2ban creates for the banning of IP, considering all pre-defined chains/tables of docker and firewalld.
Alternatively simply use banning actions for native net-filter sub-systems like iptables+ipset or nftables (e. g. with proper target table for the fail2ban chains, for instance DOCKER-USER instead of INPUT).

Related

GPO StartLayout Never Applies
IOS Enterprise Distribution Through OTA
What are declarations and declarators and how are their types interpreted by the standard?
Detecting a "unique" anonymous user
How to make apk Secure. Protecting from Decompile
How to create a centered UICollectionView like in Spotify's Player
CSS3 property webkit-overflow-scrolling:touch ERROR
How to use Push Notifications in Xamarin Forms
What is the difference between a Linux platform driver and normal device driver?
What is the difference between system apps and privileged apps on Android?
Why is $y=1/x$ a continuous function but not $y=(1/x)^2$?
Coordinates of the real derivative for $f:\mathbb{R}^2\to\mathbb{R}^2$