IPs not blocking with iptables/fail2ban "already banned" messages

Question

I am using old iptables v1.4.7 in conjunction with fail2ban. I am however seeing "already banned" messages in the logs and can't figure out why they still reach my server and are not being blocked by the f2b-ASTERISK section as below. Do you see any reason why the following wouldn't work at a first glance? I checked other answers but they didn't shed a light. Here is the output:

[root@server bin]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
f2b-ASTERISK  udp  --  anywhere             anywhere            udp dpt:sip
DROP       udp  --  anywhere             anywhere            udp dpt:sip STRING match "friendly-scanner" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere            udp dpt:sip STRING match "VaxSIPUserAgent" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere            udp dpt:sip STRING match "VaxIPUserAgent" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere            udp dpt:sip STRING match "sundayddr" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere            udp dpt:sip STRING match "sipsak" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere            udp dpt:sip STRING match "sipvicious" ALGO name bm TO 65535
DROP       udp  --  anywhere             anywhere            udp dpt:sip STRING match "iWar" ALGO name bm TO 65535
...
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2346 flags:0x17/0x02 limit: avg 1/min burst 3
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2346 flags:0x17/0x02
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
DROP       all  -f  0.0.0.0/0            0.0.0.0/0
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5
DROP       icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5060
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5060
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:4569
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:10000:20000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 flags:0x17/0x02 limit: avg 100/sec burst 100
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 flags:0x17/0x02
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5666
...
Chain FORWARD (policy DROP)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain f2b-ASTERISK (1 references)
target     prot opt source               destination
DROP       all  --  ip16.ip-54-37-90.eu  anywhere
DROP       all  --  207.231.108.225      anywhere
...

fail2ban.log:

2023-04-23 09:50:30,881 fail2ban.actions        [26615]: NOTICE  [asterisk-iptables] 207.231.108.225 already banned

It's listed in f2b-ASTERISK when I check the ip:

[root@server bin]# iptables -L -n | grep "193.32.162.159"
DROP       all  --  207.231.108.225       0.0.0.0/0

score 2 · Accepted Answer · answered Apr 26 '23 at 13:46

According to your rules, the f2b-ASTERISK chain is only used to filter packets on UDP port 5060:

Chain INPUT (policy DROP)
target     prot opt source               destination
f2b-ASTERISK  udp  --  anywhere             anywhere            udp dpt:sip

However, your fail2ban logs do not actually say that the Asterisk ban was triggered by this kind of traffic – it might have been triggered by something else (e.g. a different port, or SIP-over-TCP, etc).

cybernard · Answer 2 · 2023-05-01T15:46:23.060

The problem is that nothing references your chain. You need to have something like

iptables -I INPUT 1 -j f2b-ASTERISK

This will cause iptables to read these rules.

I would switch to ipset mode in fail2ban so that your iptables rules are not clogged by 1000's of drop rules.

fail2ban will create sets with the same name f2b-ASTERISK

Then you can have something like this:

iptables -I INPUT 1 -m set --match-set f2b-ASTERIK -j DROP

Now the list of IP can grow without clogging iptables.

to inspect your list:

ipset save f2b-ASTERIK

This will list out all ip addresses in said group.

IPs not blocking with iptables/fail2ban "already banned" messages

2 Answers2