抬头仰望星空,是否能发现自己的渺小。

伪斜杠青年

人们总是混淆了欲望和理想

Docker fail2ban chain 配置无效问题

年初的时候配置 fail2ban 的时候没验证结果,以为只要 ban 了 ip 就可以,又默默承受了一年的爆破,用 ssh 访问举例:

如果 fail2ban 分析的日志来自宿主,即与 Docker 无关,不经 Docker 转发,请使用 INPUT 链。

[sshd]
enabled = true
chain = INPUT

如果 fail2ban 分析的日志来自容器,即访问会经过 Docker 转发至容器,请使用 DOCKER-USER 链。

[x-ssh-access]
enabled = true
chain = DOCKER-USER

无效的原因很简单,就是 Input 和 Forward 的关系:

                               XXXXXXXXXXXXXXXXXX
                             XXX     Network    XXX
                               XXXXXXXXXXXXXXXXXX
                                       +
                                       |
                                       v
 +-------------+              +------------------+
 |table: filter| <---+        | table: nat       |
 |chain: INPUT |     |        | chain: PREROUTING|
 +-----+-------+     |        +--------+---------+
       |             |                 |
       v             |                 v
 [local process]     |           ****************          +--------------+
       |             +---------+ Routing decision +------> |table: filter |
       v                         ****************          |chain: FORWARD|
****************                                           +------+-------+
Routing decision                                                  |
****************                                                  |
       |                                                          |
       v                        ****************                  |
+-------------+       +------>  Routing decision  <---------------+
|table: nat   |       |         ****************
|chain: OUTPUT|       |               +
+-----+-------+       |               |
      |               |               v
      v               |      +-------------------+
+--------------+      |      | table: nat        |
|table: filter | +----+      | chain: POSTROUTING|
|chain: OUTPUT |             +--------+----------+
+--------------+                      |
                                      v
                               XXXXXXXXXXXXXXXXXX
                             XXX    Network     XXX
                               XXXXXXXXXXXXXXXXXX

重新配置 fail2ban 后,使用 iptables -L 显示结构应当是:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-sshd   tcp  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

// ...

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
f2b-http-error  tcp  --  anywhere             anywhere            
f2b-x-ssh-access  tcp  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

参考:

https://github.com/crazy-max/docker-fail2ban#docker-user-and-input-chains

https://wiki.archlinux.org/title/Iptables

以上。


本站由以下主机服务商提供服务支持:

3条评论

  • 小原渚

    这边建议每年年底写个年终终结有缘再见,希望以后还能刷到

    • Mosaic-C

      可以是可以,主要作用是标识一下人还在是吧,哈哈哈~

  • jiyouzhan

    这篇文章写得深入浅出,让我这个小白也看懂了!

发表评论