Sua corrente DOCKER é chamada somente de FORWARD . Como você pode ver pelos números zero, as regras não são atingidas. Tente chamar a corrente DOCKER de INPUT também.
Eu tenho um problema com a configuração do meu host / docker da seguinte forma: O host executa o fail2ban, que acessa os arquivos mail.log do contêiner docker, que são mapeados em um volume. Tudo isso funciona bem, eu defini uma jail.local
[postfix-sasl]
enabled = true
port = smtpd
filter = postfix-sasl
logpath = /var/lib/docker/volumes/smtp2/_data/mail.log
bantime = 604800
maxretry = 5
action = docker-action
e um filtro postfix-sasl.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
_port = (?::\d+)?
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
e uma ação como docker-action.conf
[Definition]
actionstart =
actionstop =
actioncheck = iptables -n -L FORWARD | grep -q 'DOCKER[ \t]'
actionban = iptables -I DOCKER 1 -s <ip> -j DROP
actionunban = iptables -D DOCKER -s <ip> -j DROP
Tudo parece funcionar bem, até mesmo com
2018-08-14 16:51:24,048 fail2ban.actions [26209]: WARNING [postfix-sasl] 181.214.206.133 already banned
e no iptables -S a seguinte entrada, como eu queria:
-A DOCKER -s 181.214.206.133/32 -j DROP
Mas no meu container ainda todas as tentativas entram assim
Aug 14 17:34:28 smtp2 postfix/smtpd[16114]: warning: unknown[181.214.206.133]: SASL LOGIN authentication failed: authentication failure
Aug 14 17:34:29 smtp2 postfix/smtpd[16114]: disconnect from unknown[181.214.206.133] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Aug 14 17:34:52 smtp2 postfix/smtpd[16114]: connect from unknown[181.214.206.133]
Saída do iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N DOCKER-USER
-N f2bd-postfix-sasl
-N fail2ban-postfix
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-loggireject-input
-A INPUT -j ufw-track-input
-A FORWARD -p tcp -m multiport --dports 25 -j fail2ban-postfix
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -s 69.10.48.187/32 -j DROP
-A DOCKER -s 181.214.206.133/32 -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
Saída de iptables -vnL FORWARD | grep docker
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate ELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Alguém pode me explicar, por que essas solicitações ainda estão sendo encaminhadas para o contêiner docker? Estou perdendo alguma coisa?