Fail2ban on CentOS 7 with Docker-powered Traefik ban OK without iptables rule addition
So why my banned IP can still reach the target website?
There may be 3 reasons for that:
-
your
firewalld
backend (iptables
?) is unsuitable to handle this, see https://github.com/fail2ban/fail2ban/issues/1609#issuecomment-303085942 (or https://github.com/firewalld/firewalld/issues/44#issuecomment-408211978) for details. Shortly, new nftables backend of firewalld can handle this properly, so you may need to switch to this, or ...
This may also lead us to next two reasons (former is more related than the later): -
if your network sub-system has some white-listing rules (and I guess so), for instance conntrack rules bypassing already established connections before the chains of fail2ban, then adding the rules to fail2ban tables, rejecting the IP, would not affect this established connections (e. g. in case of keep-alive), only new connections will be rejected then... in this case either ensure to reject connection in web-server after auth-failures, or reorder the chains (chains of fail2ban before the white-listing rules), or kill the connection with extra command in
actionban
, e.g.ss -K dst "[<ip>]"
orconntrack -D -s <ip>
, etc. See https://github.com/fail2ban/fail2ban/pull/3018/commits/8f6a8df3a45395620e434fd15b4ede694a1d00aa (or https://github.com/fail2ban/fail2ban/commit/bbfff1828061514e48395a5dbc5c1f9f81625e82) for similar issue with ufw; -
because it is dockerized, you have probably to define
chain = DOCKER-USER
or similar, just actionfirewallcmd-rich-rules
is not suitable for that (don't have parameterchain
at all)... Use another banning action (e.g. native net-filters like iptables/ipset or nftables) supporting that.
Anyway you have to check how the incoming traffic (inclusive established) reaches the resulting chains/tables fail2ban creates for the banning of IP, considering all pre-defined chains/tables of docker and firewalld.
Alternatively simply use banning actions for native net-filter sub-systems like iptables+ipset or nftables (e. g. with proper target table for the fail2ban chains, for instance DOCKER-USER
instead of INPUT
).