Using fail2ban in a docker container to block incomming connections

I am trying to use fail2ban in a docker-container to block incoming connections to my nextcloud (also running in a docker container). However I only can get fail2ban to change the iptables of its own container and not the one of the docker host.

My current setup looks like this:

docker-compose

  app:
    image: nextcloud:latest
    container_name: nextcloud_app
    restart: always
    ports:
      - 7000:80
      - 7001:443
    ...

  fail2ban:
    image: lscr.io/linuxserver/fail2ban:latest
    container_name: nextcloud_fail2ban
    network_mode: host
    restart: always
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - ./data/fail2ban:/config
      - ./data/nextcloud/data:/var/log:ro # the directory of the nextcloud log
    cap_add:
      - NET_ADMIN
      - NET_RAW

jail.d/nextcloud.conf

[nextcloud]
enabled = true
port = 80,443,7000,7001
protocol = tcp
filter = nextcloud
Tlogpath = /var/log/nextcloud.log
maxretry = 3
bantime = 86400
findtime = 14400
# banaction = docker-action
# chain = DOCKER-USER
# action = iptables[actname=iptables-input,   name=HTTPS,                       port=https, protocol=tcp]
#          iptables[actname=iptables-forward, name=HTTPS-DOCKER, chain=FORWARD, port=443, protocol=tcp]

This results in the iptables correctly set on the fail2ban container (e.g. ban 192.168.1.125):

root@grievous:/# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-nextcloud
-A INPUT -p tcp -m multiport --dports 80,443,7000,7001 -j f2b-nextcloud
-A f2b-nextcloud -s 192.168.1.125/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -j RETURN

but the host iptables stay unchanged. This doenst help me much since I dont want to block the traffic to the fail2ban container but instead to the nextcloud container (or in general all incoming traffic from the banned ip address to the docker host).

I looked online for some solutions but was not able to set the puzzle together. I think I have to use the DOCKER-USER chain. However when using it no iptables were created.

Some suggest to install fail2ban baremetal, which I don't want.

I also tried using a docker-action.conf which I found but this didn't help either, since it also creates the iptables on the fail2ban container

[Definition]
actionstart = iptables -N f2b-npm-docker
              iptables -A f2b-npm-docker -j RETURN
              iptables -I FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
actionstop = iptables -D FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
             iptables -F f2b-npm-docker
             iptables -X f2b-npm-docker
actioncheck = iptables -n -L FORWARD | grep -q 'f2b-npm-docker[ \t]'
actionban = iptables -I f2b-npm-docker -s DROP <ip >-j
actionunban = iptables -D f2b-npm-docker -s DROP <ip >-j

So I guess my problem/question is on how to tell fail2ban to install the iptables on the docker host instead of its own container. Mabye I have to change the network_mode?

As described in this post https://serverfault.com/a/1032094/1005675 fail2ban shall run as a additional pod and needs to write to the hosts iptables

Any help is highly appreciated =)

I am also exploring this. Have you done any progress here ? From what I've understood so far, it would be probably easier to integrate fai2ban within the Nextcloud container itself.

That implies to build on top of Nextcloud image. As an example, see :

FROM nextcloud:25.0.4-apache

RUN apt-get update && apt-get install -y supervisor \
  && rm -rf /var/lib/apt/lists/* \
  && mkdir /var/log/supervisord /var/run/supervisord

COPY supervisord.conf /

ENV NEXTCLOUD_UPDATE=1

CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

Here the purpose is to add supervisor to the Nextcloud container, so that cron can run without another Nextcloud image dedicated to that.

This project could be another piece of the puzzle, since it integrate fail2ban to an Asterisk docker image.