Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client IP banned but docker still accessible #11

Open
Techal62 opened this issue Sep 17, 2024 · 1 comment
Open

Client IP banned but docker still accessible #11

Techal62 opened this issue Sep 17, 2024 · 1 comment

Comments

@Techal62
Copy link

I installed fail2ban on my synology in a docker, the IP detection works correctly however despite the banning rules being created on my synology I still have access to my docker which should be blocked

[jellyfin]

enabled = true
port = 80,443
protocol = tcp
filter = jellyfin
maxretry = 3
bantime = 180
findtime = 43200
logpath = /config/log/jellyfin/*.log

#action = iptables-allports[name=jellyfin, chain=INPUT] => blocks access to NAS but not to docker
action = iptables-allports[name=jellyfin, chain=DOCKER-USER]
@Moreless91
Copy link

Moreless91 commented Nov 15, 2024
edited
Loading

I had the same issue. The IP is added to iptables but it's not respected and 192.168.1.25 can still access jellyfin.

I fixed it by:

Changing the jellyfin container's network to: network_mode: host

  • Before I was using a macvlan and i couldn't get DOCKER-USER to work with chain FORWARD in iptables.

This meant updating 'action' in /data/jail.d/jellyfin.local to:

action = iptables-allports[name=jellyfin, chain=INPUT]
  • Synology uses chain INPUT when a container is using the host network. Which meant banning the IP address for a LAN IP actually did block (DROP) the packets.

My configs for anyone interested:

/data/jail.d/jellyfin.local

[jellyfin]

bantime = 2592000
findtime = 86400
maxretry = 3
backend = auto
enabled = true
filter = jellyfin
logpath = /jellyfin_logs/log_*.log
action = iptables-allports[name=jellyfin, chain=INPUT]

jellyfin docker compose:

version: '3.5'
services:
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    environment:
      - PUID=yourPUIDHere
      - PGID=yourGUIDHere
      - TZ=America/Chicago
    volumes:
      - '/volume1/docker/jellyfin/library:/config'
      - '/volume1/data/media:/media:ro'
    network_mode: host
    restart: unless-stopped

fail2ban docker compose:

version: '3'
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    environment:
      F2B_DB_PURGE_AGE: '30d' # optional
      F2B_LOG_TARGET: '/data/fail2ban.log' # optional
      TZ: 'America/Chicago'
    volumes:
    - '/volume1/docker/fail2ban/data:/data'
    - '/volume1/docker/jellyfin/library/log:/jellyfin_logs:ro'
    privileged: true
    cap_add:
        - NET_ADMIN
        - NET_RAW
    network_mode: 'host'
    restart: unless-stopped

iptables with a successful ban:

$ sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-jellyfin  tcp  --  0.0.0.0/0            0.0.0.0/0
...
Chain f2b-jellyfin (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.25          0.0.0.0/0 <--- 3 failed login attempts
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Techal62 @Moreless91