1

Say I have a public-facing Nginx reverse proxy container (A) that sends traffic to a downstream web service (B). This A container is where TLS connections terminate. The Docker server is also behind an external reverse proxy service. I am successfully able to extract and log the real IPs from forward headers. No problem.

How to configure the fail2ban action to jail (e.g. DROP) traffic from the real IP exiting container A? The downstream web service B will see an XFF header with the real IP.

Here is what my iptables are doing now (iptables -nL):

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-auth-fail  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.20.128.1         tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            172.20.128.1         tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-auth-fail (1 references)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 STRING match  "X-Forwarded-For: 184.75.215.178" ALGO name bm TO 65535
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

As you can see I'm already trying to match on packets with the XFF string, and that IP address is the real IP, not the proxy server.

Perhaps the INPUT chain is the culprit?

Here are my main actions:

actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>

actionban = iptables -I fail2ban-<name> 1 -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
Improve this question

2 Answers 2

Reset to default
0

See here https://github.com/fail2ban/fail2ban/issues/2292

You need to configure fail2ban to put the iptables rule to the chain DOCKER-USER - or you duplicate the rules (like me) - one uses the default chain to protect the host - the other protects exposed docker containers.

Improve this answer
1
  • How do you duplicate the rules? Commented Mar 16, 2020 at 19:57
0

This is what helped me with the similar issue. If you set Crowdsec or fail2ban:

Crowdsec:

sudo iptables -I FORWARD -m set --match-set crowdsec-blacklists src -j DROP

For fail2ban something similar to this:

sudo iptables -I FORWARD 1 -p tcp -j f2b-HTTPS

In fact, fail2ban has its own "targets" in iptables, you can find them all with

sudo iptables -L | grep f2b

It will place an entry in iptables before Docker rule that will reject requests before they reach Docker rule (that allows them all)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.