search

ksylvan / docker-mail-server

Ansible playbooks to deploy a full featured mail server stack using Docker.
50 stars 11 forks source link

Fail2ban iptables based firewalling does not work #1

Closed ksylvan closed 6 years ago

ksylvan commented 7 years ago

I use ufw but this same problem happens with firewalld.

Based on looking at the nginx access log, I automatically identified and banned IP adddresses from accessing my server. However, bacause the Docker NAT rules giving access to containers and ports precede the other iptables deny rules, the attempt to bar those IP addresses is ineffective.

Details here: moby/moby#4737

ksylvan commented 7 years ago

@hardware commented in https://github.com/hardware/mailserver/issues/168

With ossec and iptables + docker NAT, I use the following rules to limit traffic on ports 80 and 443 :

/sbin/iptables -N http-flood
/sbin/iptables -I FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 1 -j http-flood
/sbin/iptables -I FORWARD -p tcp --syn --dport 443 -m connlimit --connlimit-above 1 -j http-flood
/sbin/iptables -A http-flood -m limit --limit 10/s --limit-burst 10 -j RETURN
/sbin/iptables -A http-flood -m limit --limit 1/s --limit-burst 10 -j LOG --log-prefix "HTTP-FLOOD "
/sbin/iptables -A http-flood -j DROP

And this works well. It is necessary to add your rules before (iptables -I) docker rules and all in FORWARD chain (iptables -I FORWARD).

But your issue isn't related to hardware/mailserver, maybe you'll find help on Docker Community Forums.

ksylvan commented 6 years ago

The fail2ban jails that monitor docker services now use the /usr/local/bin/ufw-docker-hack shell script which inserts/deletes banned IP addresses into the DOCKER-USER table in addition to the ufw rules.

This is a hack, but works well in keeping the ability to see what is happening with banned IPs by running ufw status.