[arch-general] Fail2Ban is not adding iptables rules

arch at trash.kofi.cc arch at trash.kofi.cc
Tue Nov 3 09:38:55 UTC 2020

On 03.11.20 09:54, Maykel Franco via arch-general wrote:
> El mar., 3 nov. 2020 a las 9:48, <u34 at net9.ga> escribió:
>> Maykel Franco via arch-general <arch-general at archlinux.org> wrote:
>>> Hi, I have this script for iptables for my archlinux desktop:
>>> https://pastebin.com/SafhsKFt
>>> And when received external request access SSH error, fail2ban add rule
>>> but the rule not working.
>>> I think it has to do with the iptables script, but the fail2ban
>>> blocking rules add fine but don't ban. That could be happening?
>> It could be that the banning fail2ban rule doesn't ban.
>> 1. Can you show the iptables state before, and after, fail2ban added
>>     its rule? That is, issue an iptables -s command? I do hope I got
>>     the iptables command right.
>> 2. Can you show fail2ban configuration?
>> --
>> u34
> The problem is not fail2ban. The problem is the script iptables rules
> because after exec script iptables:
> https://pastebin.com/SafhsKFt
> I try drop ip:
> iptables -A INPUT -p tcp -s --dport 22 -j DROP
> Not block ip on port 22.

Thats the expected behavior. With -A you append a rule to the already 
existing rules. The problem is that you have already allowed port 22 in 
your script and this rule match for all incoming packets on port 22. 
Other rules will not be executed.

I'm not an expert in fail2ban but when you use the following rule after 
the script is executed port 22 will be blocked

iptables -I INPUT -p tcp -s --dport 22 -j DROP

-I means that the rule is insert on the first place in the chain.

With "iptables -vL INPUT" you can see the order of the rule. First 
matching rule will be used and no other rules in the INPUT chain will be 

More information about the arch-general mailing list