fail2ban.action ERROR iptables -w -N f2b-<jail-name>

I've been using fail2ban for a while without any issues.

The other day, I decided to stop fail2ban to remove one rule from my default iptables. When I started fail2ban, it started ok (according to the command: service fail2ban start).

However, when I checked iptables, I didn't see fail2ban chains added. I checked fail2ban log and I found several error like these:

fail2ban.action [32091]: ERROR iptables -w -N f2b- iptables -w -I INPUT -p tcp -m multiport --dports 0:65535 -j f2b- -- stderr: "iptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\n"

From this log, it seems fail2ban is trying to run iptables with the -w option, which doesn't exist. I checked all the fail2ban configuration files, specially under action.d directory, and there isn't a single line with the -w option. How weird is that?

I have no clue what is happening here, and I'm unable to use fail2ban because of this.

I appreciate your help.


Solution 1:

The -w option is not in your version 1.4.7 of iptables,it's use is explained in the /etc/fail2ban/action.d/iptables-common.conf file

# Option:  lockingopt
# Notes.:  Option was introduced to iptables to prevent multiple instances from
#          running concurrently and causing irratic behavior.  -w was introduced
#          in iptables 1.4.20, so might be absent on older systems
#          See https://github.com/fail2ban/fail2ban/issues/1122
# Values:  STRING
lockingopt = -w

I would be tempted to remove the -w from the above declaration or even comment it out and see what happened.


Check your yum.log to see if fail2ban was updated recently. if so, see when it happened and check to see if you have a yumcron job running about that time.

Solution 2:

best approch is to add :

[Init] lockingopt =

in /etc/fail2ban/jail.local

the -w option description :

# Option:  lockingopt
# Notes.:  Option was introduced to iptables to prevent multiple      instances from
#          running concurrently and causing irratic behavior.  -w was introduced
#          in iptables 1.4.20, so might be absent on older systems
#          See https://github.com/fail2ban/fail2ban/issues/1122
# Values:  STRING

while in centos 6.7 the iptable version is 1.4.7 so it won't work.

additional information are here :

https://bugzilla.redhat.com/show_bug.cgi?id=1272681 https://github.com/fail2ban/fail2ban/issues/1122