Closed ksylvan closed 6 years ago
@hardware commented in https://github.com/hardware/mailserver/issues/168
With ossec and iptables + docker NAT, I use the following rules to limit traffic on ports 80 and 443 :
/sbin/iptables -N http-flood
/sbin/iptables -I FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 1 -j http-flood
/sbin/iptables -I FORWARD -p tcp --syn --dport 443 -m connlimit --connlimit-above 1 -j http-flood
/sbin/iptables -A http-flood -m limit --limit 10/s --limit-burst 10 -j RETURN
/sbin/iptables -A http-flood -m limit --limit 1/s --limit-burst 10 -j LOG --log-prefix "HTTP-FLOOD "
/sbin/iptables -A http-flood -j DROP
And this works well. It is necessary to add your rules before (iptables -I) docker rules and all in FORWARD chain (iptables -I FORWARD).
But your issue isn't related to hardware/mailserver, maybe you'll find help on Docker Community Forums.
The fail2ban
jails that monitor docker services now use the /usr/local/bin/ufw-docker-hack
shell script which inserts/deletes banned IP addresses into the DOCKER-USER
table in addition to the ufw
rules.
This is a hack, but works well in keeping the ability to see what is happening with banned IPs by running ufw status
.
I use ufw but this same problem happens with firewalld.
Based on looking at the nginx access log, I automatically identified and banned IP adddresses from accessing my server. However, bacause the Docker NAT rules giving access to containers and ports precede the other iptables deny rules, the attempt to bar those IP addresses is ineffective.
Details here: moby/moby#4737