I'm trying to figure out why I'm getting an error from iptables when restarting fail2ban and it goes through the process of stopping my jails and unbanning entries in the chains set up by fail2ban. Here's an example of the error I see:
> 2014-11-06 10:10:39,934 fail2ban.actions: WARNING [spam] Unban 192.3.100.7 > 2014-11-06 10:10:39,961 fail2ban.actions.action: ERROR iptables -D fail2ban-spam -s 192.3.100.7 -j REJECT --reject-with icmp-port-unreachable returned 100 > 2014-11-06 10:10:40,005 fail2ban.jail : INFO Jail 'spam' stopped I think I see what's causing the error, but I'm not sure of how I got here. Can anyone see anything here's that's obviously wrong? I'm running Fail2Ban v0.8.11 on an Ubuntu 14.04.1 LTS server. Here's what I'm doing: 1. Restart fail2ban: > $ sudo service fail2ban restart 2. Wait for a new address to be banned and added to the fail2ban-<name> chain. From /var/log/fail2ban.log: > 2014-11-06 10:00:45,484 fail2ban.actions: WARNING [spam] Ban 192.3.100.7 3. Look at the new entry in the chain: > $ sudo iptables -n -L fail2ban-spam | grep 192.3.100.7 > DROP all -- 192.3.100.7 0.0.0.0/0 > $ Note the DROP target; this is what I expect to see. My actionban entry in /etc/fail2ban/action.d/iptables-multiport.conf is this: > actionban = if ! iptables -C fail2ban-<name> -s <ip> -j DROP; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP; fi 4. Restart fail2ban: > $ sudo service fail2ban restart 5. Look at the fail2ban log: > $ sudo vi /var/log/fail2ban.log > 2014-11-06 10:10:39,934 fail2ban.actions: WARNING [spam] Unban 192.3.100.7 > 2014-11-06 10:10:39,961 fail2ban.actions.action: ERROR iptables -D fail2ban-spam -s 192.3.100.7 -j REJECT --reject-with icmp-port-unreachable returned 100 > 2014-11-06 10:10:40,005 fail2ban.jail : INFO Jail 'spam' stopped Note the error message and the parameters being passed to iptables, especially the "-j REJECT --reject-with icmp-port-unreachable" part. Here's my actionunban and actionstop entries in /etc/fail2ban/action.d/iptables-multiport.conf: > actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> > actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> > iptables -F fail2ban-<name> > iptables -X fail2ban-<name> So I'm not surprised that iptables returns an error - it's being asked to perform an action for an entry on the chain that it can't match. What I don't understand is where the "-j REJECT --reject-with icmp-port-unreachable" came from. Can anyone suggest some clues? Given the parameter mis-match I don't think this is related to the race condition I've seen described in other places when starting and stopping fail2ban. Thank you, Scott ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
