Hi Guys, I get a lot of SASL ban actions for a specific subnet: 46.148.40.0/24 (Subnet belongs to Iran) Even fail2ban catchs them, I'd like to lock them out permanently. I was using the iptables command below, but nothing happens. fail2ban still has to do the job. Code: iptables -A INPUT -s 46.148.40.0/24 -j DROP Anything wrong with my syntax? I am puzzeled. Here the output from iptables Code: root@vls001:~# iptables -S ... ... -A INPUT -s 46.148.40.0/24 -j DROP ... ... -A f2b-postfix-sasl -s 46.148.40.120/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.147/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.190/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.114/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.197/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.148/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.112/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.153/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.199/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.151/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.146/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.145/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.143/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.115/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.149/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.193/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.183/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.135/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.113/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.154/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.198/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 80.94.95.242/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.196/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.156/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.155/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 80.94.95.203/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.142/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.118/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.191/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.107/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.58/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.130/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.49/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.195/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.152/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.13/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.136/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.94/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.77/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 46.148.40.189/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -s 141.98.10.151/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-postfix-sasl -j RETURN
Are these rules new rules? Do you see new bans in the fail2ban log? I can only imagine that this is still happening because we are talking different chains here "f2b-postfix-sasl" and "INPUT" or/and different parameters to the blocking REJECT vs DROP
Hi pyte, the rule above was new, but fail2ban still had to ban ips from that range after the rule was applied for few hours. Anyway, I believe (not really know) that I found the issue. Therefore, it would be great if a firewall expert could verify, and comment on this, before I point others in the wrong direction. This is a Debian 11 box with ISPCONFIG 3.2 - and as I learned in an other thread ISPCONFIG makes use of ufw to manage iptables. I believe (not know) that rules from ufw had higher priorities, than the manually added rule. In order to resolve this I removed the manual iptables rule with: Code: iptables -D INPUT -s 46.148.40.0/24 -j DROP ...and than added this ip by using insert x as as part of the ufw command (with x=1 making the rule priority 1). Code: ufw insert 1 deny from 46.148.40.0/24 to any comment '{Block Iranian hacker IP address.}' New rules and priorities are verified with: Code: ufw status numbered That solved it for me, that Iranian IP range does not appear in my fail2ban logs anymore.