Score:0

Server

fail2ban fails to add iptables to rules

Adam Larsson

5/29/23, 2:43 PM

I'm having issues with fail2ban is not adding the banned IP to iptables.

this is the error;

2022-01-29 15:13:48,499 fail2ban.actions        [2608]: NOTICE  [man] Restore Ban 212.192.246.26
2022-01-29 15:13:48,513 fail2ban.utils          [2608]: ERROR   7f9281692660 -- exec: iptables -w -N f2b-man
iptables -w -A f2b-man -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports all -j f2b-man
2022-01-29 15:13:48,514 fail2ban.utils          [2608]: ERROR   7f9281692660 -- stderr: 'iptables: Chain already exists.'
2022-01-29 15:13:48,514 fail2ban.utils          [2608]: ERROR   7f9281692660 -- stderr: "iptables v1.8.4 (legacy): invalid port/service `all' specified"
2022-01-29 15:13:48,514 fail2ban.utils          [2608]: ERROR   7f9281692660 -- stderr: "Try `iptables -h' or 'iptables --help' for more information."
2022-01-29 15:13:48,514 fail2ban.utils          [2608]: ERROR   7f9281692660 -- returned 2
2022-01-29 15:13:48,514 fail2ban.actions        [2608]: ERROR   Failed to execute ban jail 'man' action 'iptables-multiport' info 'ActionInfo({'ip': '212.192.246.26', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f9280d62e50>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f9280d63550>})': Error starting action Jail('man')/iptables-multiport: 'Script error'

so iptables don't like;

iptables -w -I INPUT -p tcp -m multiport --dports all -j f2b-man

--dport all is apparently the issue,so my question is Why? why is fail2ban giving an faulty command, and how to correct it?

edit: running Ubuntu server 20.04.3 without netplan.

180

0 + 0

ubuntu

iptables

ufw

fail2ban

Chris

5/29/23, 5:57 PM

It's a problem with your fail2ban configuration, that you need to show us. There is somewhere an incorrect `all` value for `port` when iptables expects something like `0:65535`.

Adam Larsson

5/29/23, 6:07 PM

@Chris yeah, I suspected that, but in what config are you specifying that? there are like 30 different .conf files

Chris

5/29/23, 6:16 PM

It seems to be related to the jail `man` so first this part in your `jail.local` (or `jail.conf` if modified directly), Then all other customizations you made to `action` and `action-multiports`

Adam Larsson

5/29/23, 6:31 PM

@Chris I've not made any customizations, except added a filter for ufwprobing.. I actually checked the man, and it said port = any, I changed it to 0:65535, and it stopped to complain, but it created this rule ‘f2b-man tcp -- anywhere anywhere multiport dports 0:65535‘ in the table input chain (policy drop) .. but no ip.. I think it's better to purge everything, and download the latest fail2ban and make a clean install

Adam Larsson

5/29/23, 6:33 PM

is fail2ban reading both jail.conf and jail.local or only jail.local if it exists?

Chris

5/29/23, 6:41 PM

fail2ban reads jail.conf first, then jail.local if exists. Properties you set in the local version overwrites the first, other are unchanged. Concerning iptables, the rule you show is normal. Its a reference to another chain (f2b-man) that *should* contain the ip.

Adam Larsson

5/29/23, 6:47 PM

@Chris yeah, sudo iptables -S revealed the ip.. didn't see it when I listed the tables.. I guess it just didn't display those.. but I've seen more jails that had port = all, I better change them to 0:65536 so they won't be any issues..

Score:0

Server

sebres

5/31/23, 2:56 PM

Action iptables-multiport is not really suitable to ban for all ports, there are other banning actions you can use instead.

Simply set banaction for the jail to all-ports action of your choice (for instance iptables-allports), or use interpolation variable "banaction_allports" already available in jail.conf (also set or overridden by your distribution maintainer), which could be also set in default section of your jail.local.

[man]
# banaction = iptables-allports
banaction = %(banaction_allports)s

[other-allports-jail]
banaction = %(banaction_allports)s

0 + 0

Melroy van den Berg

11/12/22, 12:07 AM

@AdamLarsson Yes, indeed.. or alternative change the `action = ` which should then use `%(banaction_allports)s`, but you won't receive an email then.

Adam Larsson

6/3/23, 6:36 PM

so if I want all jails to ban all ports, I should set `[banaction = %(banaction_allports)s` under **[DEFAULT]**, and then not specify any banaction under each jail?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: fail2ban fails to add iptables to rules

TH: fail2ban ไม่สามารถเพิ่ม iptables ให้กับกฎได้

RO: fail2ban nu reușește să adauge iptables la reguli

RU: fail2ban не может добавить iptables в правила

VI: fail2ban không thể thêm iptables vào quy tắc

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.