iptables inside container doesn't work - NET_ADMIN also didn't help

Hi Folks,
I have a container with fail2ban on it. On my development computer when I add this to docker-compose:
Code:

cap_add:
 - NET_ADMIN
 - NET_RAW

I can see rules are added to iptables both inside container and outside it and it works properly. When I try the same configuration on EC2 instance, i can see those rules inside container, but not on the host system. What’s wrong?
Thanks in advance.

You should tell us more about how you run Docker in EC2. EC2 is a VM that has many differences to a local installation. The access control is made in security groups, you can’t expect iptables to work out of the box.

Hi tekki,
Thanks for the reply.
The os on EC2 is:

$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

On this instance, I’m using docker compose version:

docker-compose version 1.23.1, build b02f1306

And the Linux kernel version is:

4.14.88-88.73.amzn2.x86_64

And it has been reported that iptables works on ec2 instances:
https://wincent.com/wiki/Using_iptables_on_EC2_instances

I’ve seen this post too.
There is still the first part of my answer. I suspect, but don’t find informations about it, that they don’t give us access to NET_ADMIN in a standard VM.

So you mean generally iptables might not work on an EC2? Because I was thinking maybe pull fail2ban out of the container and run it on the host instead. So it can read log files of various containers and block ips on the host based on that.

No, I just mean that probably you don’t have access to Linux capabilities in EC2.
I don’t know how you build your system, but I could imagine that you build one container in the front that acts as a proxy and packet filter.

Ok. It seems like the iptables doesn’t work on ec2 instance for any reason. As I described in this issue:


I tried fail2ban as well as manually adding reject rules to ip address of the host directly without the container and it just doesn’t work.

Do you mention anywhere in this Github issue that you are on EC2?
In your first question you said that fail2ban works inside the container. So there is still the possibility to use this container for the filtering.

So some new clue. If we add the reject rule to INPUT chain it works and it blocks. If we add it to fail2ban chain:
sudo iptables -I f2b-nginx-http-auth 1 -s 99.99.99.99 -j DROP
It doesn’t.

So, this command fixed the problem:

sudo iptables -I FORWARD -j f2b-nginx-http-auth

How?
I had also a chain created by DOCKER which contained rules inside FORWARD chain, contradicting with those imposed by fail2ban. And IP tables was prioritizing FORWARD chain over INPUT chain where fail2ban puts its own chain in. So inserting fail2ban chain into FORWARD chain prioritized fail2ban above docker and now the whole thing works.

1 Like