Hi Folks,
I have a container with fail2ban on it. On my development computer when I add this to docker-compose:
Code:
cap_add:
- NET_ADMIN
- NET_RAW
I can see rules are added to iptables both inside container and outside it and it works properly. When I try the same configuration on EC2 instance, i can see those rules inside container, but not on the host system. What’s wrong?
Thanks in advance.
You should tell us more about how you run Docker in EC2. EC2 is a VM that has many differences to a local installation. The access control is made in security groups, you can’t expect iptables to work out of the box.
I’ve seen this post too.
There is still the first part of my answer. I suspect, but don’t find informations about it, that they don’t give us access to NET_ADMIN in a standard VM.
So you mean generally iptables might not work on an EC2? Because I was thinking maybe pull fail2ban out of the container and run it on the host instead. So it can read log files of various containers and block ips on the host based on that.
No, I just mean that probably you don’t have access to Linux capabilities in EC2.
I don’t know how you build your system, but I could imagine that you build one container in the front that acts as a proxy and packet filter.
Do you mention anywhere in this Github issue that you are on EC2?
In your first question you said that fail2ban works inside the container. So there is still the possibility to use this container for the filtering.
So some new clue. If we add the reject rule to INPUT chain it works and it blocks. If we add it to fail2ban chain: sudo iptables -I f2b-nginx-http-auth 1 -s 99.99.99.99 -j DROP
It doesn’t.
How?
I had also a chain created by DOCKER which contained rules inside FORWARD chain, contradicting with those imposed by fail2ban. And IP tables was prioritizing FORWARD chain over INPUT chain where fail2ban puts its own chain in. So inserting fail2ban chain into FORWARD chain prioritized fail2ban above docker and now the whole thing works.