Package: iptables Version: 1.8.2-2 Severity: grave The fail2ban attack prevention software scans log files and adds firewall rules dynamically to iptables/ip6tables to prevent DoS and login scanning attacks in realtime.
Since upgrading iptables to the 1.8.2 version it has been completely unable to do that vital task due to problems within nftables / iptables. The example that I am facing right now is with active and large DoS attacks email spam attacks. When fail2ban attempts to add the firewall blocks, such as; iptables -w -I f2b-postfix-sasl 1 -s 80.82.70.189 \ -j REJECT --reject-with icmp-port-unreachable iptables produces an error: iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument): rule in chain f2b-postfix-sasl the system log matching that iptables update attempt states: x_tables: ip_tables: REJECT target: used from hooks FORWARD/OUTPUT/POSTROUTING, but only usable from INPUT/FORWARD/OUTPUT Which appears to be a lie. The f2b-postfix-sasl is a sub-chain of the INPUT table and is not in any way connected to the FORWARD, OUTPUT nor POSTROUTING tables. iptables -L -nv Chain INPUT (policy ACCEPT 1727M packets, 3523G bytes) pkts bytes target prot opt in out source destination 9531 7001K f2b-postfix-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,143,993,110,995 9531 7001K f2b-courier-auth tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,143,993,110,995 8629 6907K f2b-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 2994 278K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 6412K 2086M f2b-postfix-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,143,993,110,995 6412K 2086M f2b-courier-auth tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,143,993,110,995 3053K 829M f2b-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 11M 663M f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1230M packets, 132G bytes) pkts bytes target prot opt in out source destination Chain f2b-sshd (2 references) pkts bytes target prot opt in out source destination 5988 556K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain f2b-postfix (2 references) pkts bytes target prot opt in out source destination 17258 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain f2b-courier-auth (2 references) pkts bytes target prot opt in out source destination 19062 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain f2b-postfix-sasl (2 references) pkts bytes target prot opt in out source destination 19062 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 AYJ