Configure iptables to pass all except fail2ban blocked IPs

Discussion in 'Server Operation' started by hereinoz, Mar 1, 2015.

  1. hereinoz

    hereinoz Member

    Hi All,

    I am running Ubuntu Server 14.04 in the "Perfect Server" configuration, and I noticed that fail2ban is not actually working. Did some research and found that I had to turn on the firewall (ufw enable). Great - except that it blocks everything now.
    I confess that iptables is one of those things which I don't understand :-(
    At the moment, I would be happy to have everything pass the firewall (it has been since the server was built) except for the IP addresses banned by fail2ban
    I have tried to find a how-to related to this, but with no success. I am guessing that I have to put something somewhere in the INPUT chain, but I am not sure.
    Can anyone assist in a configuration for this.
  2. hereinoz

    hereinoz Member

    Well, I finally found out how to create an "Accept all" rule in IPtables (not hard when you know how - just didn't know how), and then had to work out how to put it at the end of the INPUT chain rather than the beginning (again, easy when you know how). Did that, and things still weren't right.

    It seems that the firewall looks at the INPUT area of iptables, but will not move down in to the sub-chains, where the fail2ban rules are. If I write a rule in INPUT to block an IP address, it does block it, but when that IP address is only in the fail2ban sub-chains, and not in INPUT, it has no effect and is still not blocked.

    It appears as though the firewall is looking at the INPUT section for ACCEPT, DROP, or REJECT rules, and ignoring the directives to look in the sub-chains.

    Any assistance would be appreciated.
    Last edited: Mar 1, 2015
  3. hereinoz

    hereinoz Member

    Well, just in case anyone reads this, I finally got things working. Fail2ban writes 4 rules in the INPUT table, to jump to the sub chains, but, the problem is, on Ubuntu Server 14.04, with ufw enabled, the jump doesn't happen, and all traffic is accepted, even with IP addresses listed in the fail2ban sub chains.
    I found that by re-writing the 4 fail2ban rules, the same as what is there, and then deleting the 4 original fail2ban rules, the jump to the sub chains occurs and fail2ban works as expected. Go figure.

Share This Page