Nixpkgs: fail2ban is not creating the iptables firewall chains

Created on 30 May 2018 · 4Comments · Source: NixOS/nixpkgs

Issue description

When using iptables, fail2ban works by adding chains into which it inserts rules. According to the configuration (ex. /etc/fail2ban/action.d/iptables.conf) fail2ban should be creating chains with the prefix "f2b"

These chains are not being created, so although fail2ban is logging IPs those IPs are not being blocked.

How to reproduce

To reproduce, add services.fail2ban.enable = true; to configuration.nix, do the nixos-rebuild dance, and check your firewall chains with iptables -L.

Technical details

system: "x86_64-linux"
host os: Linux 4.14.43, NixOS, 18.09pre140920.5b468ea6b1d (Jellyfish)
multi-user?: yes
sandbox: no
version: nix-env (Nix) 2.0.2
channels(root): "nixos-18.09pre140920.5b468ea6b1d"
nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Source

emmanuelrosa

👍2

Most helpful comment

Here's what I've learned. Unlike older versions of fail2ban which created the chains on startup, modern fail2ban it creates the chains on-demand. Right now I have the full path to iptables in the config, but once the SSH ban lifts and I can get back into my VM I'll try locking myself out again without the full path.

While the ssh filter is working quite well the nginx rate-limiting filter is not.

emmanuelrosa on 31 May 2018

👍3

All 4 comments

I am observing the same problem. Could it be that the iptables command in /etc/fail2ban/action.d/iptables.conf need to be replaced by absolute paths?