Hello,
I have a nextcloud and nginx containers which are part of bridge. I have fail2ban running on the host. Fail2ban shows the ip is banned but in reality it is not.
Any idea how to fix this?
lxc config show nextcloud
architecture: x86_64
config:
boot.autostart: "true"
boot.autostart.priority: "99"
image.architecture: amd64
image.description: Archlinux current amd64 (20190121_01:27)
image.os: Archlinux
image.release: current
image.serial: "20190121_01:27"
raw.idmap: |
uid 1001 1001
uid 33 33
gid 100 100
gid 110 110
gid 33 33
raw.lxc: lxc.mount.auto = proc:rw sys:ro
volatile.base_image: a7dfd11ceb31b777133592f74e155102aa972f74ece352ccd63851006f61d207
volatile.eth0.host_name: veth64b48f11
profiles:
- vlan300profile
The vlan300 profile look like so,
# lxc profile show vlan300profile
config:
description: Default LXD profile
devices:
eth0:
name: eth0
nictype: bridged
parent: vlan300br
type: nic
root:
path: /
pool: lxd
type: disk
name: vlan300profile
I tried to ban a local ip 172.16.1.28, and it does list in iptables. But i am stable able to access nextcloud instance.
# iptables -L -n -v
Chain INPUT (policy ACCEPT 46680 packets, 3053K bytes)
pkts bytes target prot opt in out source destination
0 0 f2b-nextcloud tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
0 0 ACCEPT icmp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 icmptype 12 /* generated for LXD network lxdbr0 */
0 0 ACCEPT icmp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* generated for LXD network lxdbr0 */
0 0 ACCEPT icmp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3 /* generated for LXD network lxdbr0 */
0 0 ACCEPT tcp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* generated for LXD network lxdbr0 */
0 0 ACCEPT udp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* generated for LXD network lxdbr0 */
0 0 ACCEPT udp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* generated for LXD network lxdbr0 */
Chain FORWARD (policy ACCEPT 1229K packets, 841M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 /* generated for LXD network lxdbr0 */
0 0 ACCEPT all -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 /* generated for LXD network lxdbr0 */
Chain OUTPUT (policy ACCEPT 42489 packets, 3122K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 icmptype 12 /* generated for LXD network lxdbr0 */
0 0 ACCEPT icmp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* generated for LXD network lxdbr0 */
0 0 ACCEPT icmp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 icmptype 3 /* generated for LXD network lxdbr0 */
0 0 ACCEPT tcp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 tcp spt:53 /* generated for LXD network lxdbr0 */
0 0 ACCEPT udp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* generated for LXD network lxdbr0 */
0 0 ACCEPT udp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 udp spt:67 /* generated for LXD network lxdbr0 */
Chain f2b-nextcloud (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 172.16.1.28 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Finally, i have the following set,
# sysctl -a | grep net.bridge.bridge-nf-call
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1