---
author:
email: mail@petermolnar.net
image: https://petermolnar.net/favicon.jpg
name: Peter Molnar
url: https://petermolnar.net
copies:
- http://web.archive.org/web/20131128111646/http://petermolnar.eu:80/linux-tech-coding/fail2ban-nat-hosts
lang: en
published: '2013-10-04T12:50:28+00:00'
summary: Centralised fail2ban for NAT firewall
tags:
- server
title: fail2ban for NAT hosts
---
I have a fairly simple setup of a virtual NAT with lxc containers on my
host. There's a central rsyslog server running on the host system, all
the log from the containers are arriving in there. Therefore setting up
iptables per container would not be the best approach, rather creating a
single setup on the host itself.
The only issue is, that usually fail2ban uses the INPUT chain, which is
not used by the NAT ( preroute ) table - we need FORWARD. While there is
an option to change, named `chain` in the actions.d files, it did not
work for me at all, so I ended up with the following actions file for
multiport-nat:
``` {.apache}
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by: Peter Molnar for NAT
# Yaroslav Halchenko for multiport banning
# $Revision$
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I FORWARD -p -m multiport --dports -j fail2ban-
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D FORWARD -p -m multiport --dports -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L FORWARD | grep -q fail2ban-
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
#