[BUG] IPs are banned but can still access the server/apps

[ngthwi]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

IPs are banned but can still access the server/apps.

There are errors in fail2ban.log

2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- exec: { iptables -w -C f2b-bitwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-bitwarden || true; iptables -w -A f2b-bitwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-bitwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-bitwarden; }
done
2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- returned 4
2024-04-24 07:40:57,608 fail2ban.actions        [756]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'xxx.xxx.xxx.xxx', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fe721dce480>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fe721dcec00>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Expected Behavior

A banned IP shouldn't be able to access the server.

Steps To Reproduce

1. Access my bitwarden instance
2. Do 3 unsuccessful login attempts (max retry is 3 in jail.local
3. Bitwarden is still accessible

Tried also to override fail2ban/action.d/iptables.conf with a 'iptables.local` (from sosandroid/docker-fail2ban-synology) containing but it doesn't work either:

[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP

Environment

- OS: Synology DSM 7.2
- How docker service was installed: package manager
- swag container is on a macvlan and the logged IPs are the "real" ones

CPU architecture

x86-64

Docker creation

version: "2"

services:
  swag:
    image: linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    labels:
      - com.centurylinklabs.watchtower.enable=true
    environment:
      - PUID=xxx
      - PGID=xxx
      - TZ=xxx/xxx
      - DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-dbip
      - URL=mydomain.duckdns.org
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=duckdns
      - EMAIL=
    volumes:
      - /volume1/docker/swag/config:/config
      - /volume1/docker/swag/tmp:/var/lib/nginx/tmp
    restart: unless-stopped
    networks:
      mymacvlan-network:
        ipv4_address: 192.168.xxx.xxx

networks:
   mymacvlan-network:
      external: true

Container logs

[mod-init] Running Docker Modification Logic
[mod-init] Adding linuxserver/mods:swag-dashboard to container
[mod-init] linuxserver/mods:swag-dashboard at sha256:71c6dd5d43e9202721c5d880ad7ffde14c610f45266ca74044464c2b6e4cc07d has been previously applied skipping
[mod-init] Adding linuxserver/mods:swag-dbip to container
[mod-init] linuxserver/mods:swag-dbip at sha256:030971d1da84c696a68f83198102981bef5c9a37aa54666e48915723ecd50a70 has been previously applied skipping
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────
      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝
   Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    xxx
User GID:    xxx
───────────────────────────────────────
using keys found in /config/keys
Variables set:
�
7
PGID=xxx
TZ=xxx/xxx
URL=mydomain.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=duckdns
EMAIL=
STAGING=
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for mydomain.duckdns.org will be requested
No e-mail address entered or address invalid
dns validation via duckdns plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
Applying the dbip mod...
**** Applying the SWAG dashboard mod... ****
Applied the dbip mod
**** goaccess already installed, skipping ****
**** libmaxminddb already installed, skipping ****
**** Applied the SWAG dashboard mod ****
[custom-init] No custom files found, skipping...
[ls.io-init] done.
�
Server ready

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

This might be out of our control as it does depend on some packages within the Host OS itself. Would need to do some testing.

[ngthwi]

It seems there's a fix (or potential pull request) by using iptables-legacy see. https://github.com/crazy-max/docker-fail2ban

[piciuok]

Same problems on latest QTS 5.1 Qnap firmware.
Before i migrate to swag i was using crazy-max package and all works fine

[Sebboost1]

Same for me, Synology (BSD?) host have an issue with new iptable. Can you implement Environment variables for choose between new or legacy Iptables please?