Categories
Mastering Development System & Network

iptables string match, some packets still getting through

I’m using fail2ban to police plain text http packets (SSL offload being used with load balancer) using a header added by the load balancer. fail2ban is complaining that it is seeing ip addresses in logs AFTER it bans them but the packet count on iptables is increasing, how can they possible be slipping past?

My fail2ban log looks like this

2020-09-27 19:10:42,748 fail2ban.actions        [1744]: NOTICE  [jailprov] Ban 5.180.220.215
2020-09-27 19:11:34,478 fail2ban.actions        [1744]: NOTICE  [jailprov] 5.180.220.215 already banned
2020-09-27 19:12:08,097 fail2ban.actions        [1744]: NOTICE  [jailprov] 5.180.220.215 already banned
2020-09-27 19:12:21,119 fail2ban.actions        [1744]: NOTICE  [jailprov] 5.180.220.215 already banned
2020-09-27 19:12:50,088 fail2ban.actions        [1744]: NOTICE  [jailprov] 5.180.220.215 already banned
2020-09-27 19:13:08,609 fail2ban.actions        [1744]: NOTICE  [jailprov] 5.180.220.215 already banned

My iptables looks like this

[me@server log]# iptables -vnL
Chain INPUT (policy ACCEPT 2917 packets, 368K bytes)
 pkts bytes target     prot opt in     out     source               destination
2751K  199M fail2ban-default  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
2749K  198M fail2ban-default  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2952 packets, 530K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-default (2 references)
 pkts bytes target     prot opt in     out     source               destination
   18  6408 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 STRING match  "5.180.220.215" ALGO name bm TO 65535
   [other rules removed for brevity]
5499K  396M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0 

enter image description here

Leave a Reply

Your email address will not be published. Required fields are marked *