fail2ban.action ERROR iptables -w -N f2b-<jail-name>

linux iptables fail2ban centos

I've been using fail2ban for a while without any issues.

The other day, I decided to stop fail2ban to remove one rule from my default iptables. When I started fail2ban, it started ok (according to the command: service fail2ban start).

However, when I checked iptables, I didn't see fail2ban chains added. I checked fail2ban log and I found several error like these:

fail2ban.action [32091]: ERROR iptables -w -N f2b- iptables -w -I INPUT -p tcp -m multiport --dports 0:65535 -j f2b- -- stderr: "iptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\n"

From this log, it seems fail2ban is trying to run iptables with the -w option, which doesn't exist. I checked all the fail2ban configuration files, specially under action.d directory, and there isn't a single line with the -w option. How weird is that?

I have no clue what is happening here, and I'm unable to use fail2ban because of this.

I appreciate your help.


Solution 1:

The -w option is not in your version 1.4.7 of iptables,it's use is explained in the /etc/fail2ban/action.d/iptables-common.conf file 

# Option:  lockingopt
# Notes.:  Option was introduced to iptables to prevent multiple instances from
#          running concurrently and causing irratic behavior.  -w was introduced
#          in iptables 1.4.20, so might be absent on older systems
#          See https://github.com/fail2ban/fail2ban/issues/1122
# Values:  STRING
lockingopt = -w

I would be tempted to remove the -w from the above declaration or even comment it out and see what happened.

Check your yum.log to see if fail2ban was updated recently. if so, see when it happened and check to see if you have a yumcron job running about that time.

Solution 2:

best approch is to add :

[Init] lockingopt =

in /etc/fail2ban/jail.local

the -w option description :

# Option:  lockingopt
# Notes.:  Option was introduced to iptables to prevent multiple      instances from
#          running concurrently and causing irratic behavior.  -w was introduced
#          in iptables 1.4.20, so might be absent on older systems
#          See https://github.com/fail2ban/fail2ban/issues/1122
# Values:  STRING

while in centos 6.7 the iptable version is 1.4.7 so it won't work.

additional information are here :

https://bugzilla.redhat.com/show_bug.cgi?id=1272681 https://github.com/fail2ban/fail2ban/issues/1122

Related

How to migrate a regular LXC container to a Proxmox LXC container?
Knockd daemon fails to start
Logging not working on Centos 7
Load testing at 350,000 requests per minute [closed]
Will preventing POST requests stop the spread of a remote access trojan?
Protecting a location by IP while applying basic auth everywhere else
Openvpn server can ping via IP but not via hostname
IPTables: How to log and set a specific log file
Is HAProxy still necessary when Varnish can act as a load balancer?
Chrony doesn't appear to be syncing with the servers I've specified
SYNC a folder on Ubuntu server with amazon S3 bucket automatically
Load balancing LDAP from a Domain Controller via F5