Hi Tom, Below is my full iptables list.
ubuntu@rasberrypi4b:~$ sudo iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere ubuntu@rasberrypi4b:~$ sudo iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere ubuntu@rasberrypi4b:~$ sudo iptables -L DOCKER-USER Chain DOCKER-USER (1 references) target prot opt source destination f2b-owncloud tcp -- anywhere anywhere RETURN all -- anywhere anywhere ubuntu@rasberrypi4b:~$ sudo iptables -L f2b-owncloud Chain f2b-owncloud (1 references) target prot opt source destination REJECT all -- 152.0.34.233 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Thanks in advance. On Mon, Mar 30, 2020 at 3:44 AM Tom Hendrikx <t...@whyscream.net> wrote: > > Hi, > > Please reply to the list only. > > You're not showing the full iptables output. Chainging the chain name > should alter the place where the "f2b-owncloud" chain is linked into the > default inputs of iptables, this is not visible in the "f2b-owncloud" > chain itself. Show full iptables -L -n output, or show: > > sudo iptables -L INPUT > sudo iptables -L FORWARD > > Kind regards, > > Tom > > On 30-03-2020 06:37, SeaTigerIII wrote: > > Hi Tom, > > > > Thanks for your suggestion. > > > > I had tried it at my end but it does not work. > > > > it still cannot block any external ip address. > > > > $ sudo iptables -L f2b-owncloud -n > > Chain f2b-owncloud (1 references) > > target prot opt source destination > > REJECT all -- 152.0.34.125 0.0.0.0/0 reject-with > > icmp-port-unreachable > > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > > > > I worried that it maybe iptables chain related problem per your > > suggestion. I would take time to read iptables firstly. > > > > Thank you for your hints. > > > > Regards > > > > Miss Poon > > > > > > > > On Sun, Mar 29, 2020 at 10:29 AM Tom Hendrikx <t...@whyscream.net> wrote: > >> > >> Hi, > >> > >> Probably you need to use a different iptables chain to block the > >> requests to your docker instance. In > >> /etc/fail2ban/action.d/iptables-common.conf, the iptables chain that is > >> used is defined. By default this is "INPUT", but in your case this > >> should probably be changed to "FORWARD". > >> > >> I'm unsure if this is due to the fact that your server is behind a > >> firewall and in a LAN, or because the traffic goes to a docker instance > >> (over the docker network stack) and not to a service directly running on > >> a port on the machine itself: I don't know anymore (sorry, it's been a > >> while since I had a setup similar to this). > >> > >> Kind regards, > >> > >> Tom > >> > >> > >> On 29-03-2020 14:23, SeaTigerIII wrote: > >> > >>> Hi, > >>> > >>> I have installed below at my home server and have issue to block > >>> external connection to my owncloud (docker). > >>> > >>> Below is my environment settings. > >>> > >>> Ubuntu Server 18.0.4 > >>> Fail2Ban 0.10.2 > >>> Docker 19.03.8 > >>> ownCloud 10.3.2.2 (in docker) > >>> > >>> I have setup fail2ban to check owncloud log file and detect failed login. > >>> it can detect and ban ip address at fail2ban correctly. > >>> > >>> if i use my internal ip address, it can block the owncloud access > >>> correctly > >>> however, if i use external connection with external ip address, > >>> fail2ban can detect it and marked to block that external ip address. > >>> But it seems that iptables would not block and go on to allow access. > >>> > >>> Below is my status result. > >>> > >>> $ sudo fail2ban-client status owncloud > >>> Status for the jail: owncloud > >>> |- Filter > >>> | |- Currently failed: 1 > >>> | |- Total failed: 45 > >>> | `- File list: /home/ubuntu/owncloud/owncloud.log > >>> `- Actions > >>> |- Currently banned: 3 > >>> |- Total banned: 4 > >>> `- Banned IP list: 152.0.158.112 152.0.153.189 192.168.1.20 > >>> > >>> I can see that it have already ban ip address 152.0.158.112, > >>> 152.0.153.189 & 192.168.1.20 > >>> > >>> device with ip address 192.168.1.20 would not able to access owncloud any > >>> more > >>> device with ip address 152.0.158.112 or 152.0.153.189 would go on to > >>> access owncloud > >>> > >>> Below is iptables chain list. > >>> > >>> $ sudo iptables -L DOCKER-USER > >>> Chain DOCKER-USER (1 references) > >>> target prot opt source destination > >>> f2b-owncloud tcp -- anywhere anywhere > >>> RETURN all -- anywhere anywhere > >>> > >>> $ sudo iptables -L f2b-owncloud > >>> Chain f2b-owncloud (1 references) > >>> target prot opt source destination > >>> REJECT all -- 192.168.1.20 anywhere > >>> reject-with icmp-port-unreachable > >>> REJECT all -- 152.0.158.112 anywhere reject-with > >>> icmp-port-unreachable > >>> REJECT all -- 152.0.153.189 anywhere reject-with > >>> icmp-port-unreachable > >>> RETURN all -- anywhere anywhere > >>> RETURN all -- anywhere anywhere > >>> RETURN all -- anywhere anywhere > >>> > >>> Is it anything wrong at the iptables? > >>> > >>> Actually, I have tried to add below rule direct at DOCKER-USER but > >>> device with external ip address still able to access my owncloud. > >>> > >>> $ sudo iptables -I DOCKER-USER -i eth0 -s 152.0.158.112 -j REJECT > >>> > >>> > >>> Please advise. > >>> > >>> Many Thanks > >>> > >>> Miss Poon > >>> > >>> > >>> _______________________________________________ > >>> Fail2ban-users mailing list > >>> Fail2ban-users@lists.sourceforge.net > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> > >> > >> _______________________________________________ > >> Fail2ban-users mailing list > >> Fail2ban-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > -- > > Best Regards > > > > SeaTigerIII > > WeChat - seatiger...@gmail.com > > Google Talk: seatiger...@gmail.com > > > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Best Regards SeaTigerIII WeChat - seatiger...@gmail.com Google Talk: seatiger...@gmail.com _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users