Fail2Ban for a Nextcloud container

Hello,

I have a nextcloud and nginx containers which are part of bridge. I have fail2ban running on the host. Fail2ban shows the ip is banned but in reality it is not.

Any idea how to fix this?

lxc config show nextcloud
architecture: x86_64
config:
  boot.autostart: "true"
  boot.autostart.priority: "99"
  image.architecture: amd64
  image.description: Archlinux current amd64 (20190121_01:27)
  image.os: Archlinux
  image.release: current
  image.serial: "20190121_01:27"
  raw.idmap: |
    uid 1001 1001
    uid 33 33
    gid 100 100
    gid 110 110
    gid 33 33
  raw.lxc: lxc.mount.auto = proc:rw sys:ro
  volatile.base_image: a7dfd11ceb31b777133592f74e155102aa972f74ece352ccd63851006f61d207
  volatile.eth0.host_name: veth64b48f11
profiles:
- vlan300profile

The vlan300 profile look like so,

# lxc profile show vlan300profile
config:
description: Default LXD profile
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: vlan300br
    type: nic
  root:
    path: /
    pool: lxd
    type: disk
name: vlan300profile

I tried to ban a local ip 172.16.1.28, and it does list in iptables. But i am stable able to access nextcloud instance.

# iptables -L -n -v
Chain INPUT (policy ACCEPT 46680 packets, 3053K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 f2b-nextcloud  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
    0     0 ACCEPT     icmp --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            icmptype 12 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     icmp --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            icmptype 11 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     icmp --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            icmptype 3 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     tcp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     udp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     udp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */

Chain FORWARD (policy ACCEPT 1229K packets, 841M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     all  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            /* generated for LXD network lxdbr0 */

Chain OUTPUT (policy ACCEPT 42489 packets, 3122K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            icmptype 12 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     icmp --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            icmptype 11 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     icmp --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            icmptype 3 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     tcp  --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            tcp spt:53 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     udp  --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            udp spt:53 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     udp  --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            udp spt:67 /* generated for LXD network lxdbr0 */

Chain f2b-nextcloud (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       172.16.1.28          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  

Finally, i have the following set,

# sysctl -a | grep net.bridge.bridge-nf-call
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

Traffic going through the bridge to/from the container and the external network won’t be checked via the INPUT chain of the firewall (where your fail2ban rules are being checked), because that chain is only for packets going to your LXD host’s interface.

You would need to ensure that bridge filtering is enabled, and that fail2ban is adding the correct rules to the FORWARD chain.