Hello,
I need your help. I want to secure a docker container and my host via
fail2ban. Therefore I need to add a rule in the INPUT and FORWARD (TCP &
UDP) chain.
my jail looks like this:
[icecast2]
enabled = true
banaction =
nftables-allports[actname=ic2hostTCP]
nftables-allports[actname=ic2containerTCP,chain=forward]
nftables-allports[actname=ic2hostUDP,protocol=udp]
nftables-allports[actname=ic2containerUDP,chain=forward,protocol=udp]
logpath = /var/log/container/docker_radio_access.log
The jail triggers correctly and adds rules - but not as expected...
nft list ruleset:
table ip filter {
set f2b-icecast2 {
type ipv4_addr
}
chain input {
type filter hook input priority 0; policy drop;
meta l4proto tcp ip saddr @f2b-icecast2 reject
meta l4proto udp ip saddr @f2b-icecast2 reject
meta l4proto tcp ip saddr @f2b-icecast2 reject
ct state invalid counter packets 37 bytes 1764 drop ...
[...]
chain forward {
type filter hook forward priority 0; policy drop;
meta l4proto tcp ip saddr @f2b-icecast2 reject
iifname "rad ...
It seems that the options 'protocol' and 'chain' are working per se, but
not in combination.
The 'nftables-***' templates don't accept protocol=all.
Can please someone give me a hint?
Fail2Ban v0.10.2 on debian buster.
Best Regards
Thomas
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
