Fail2ban on container-mounted log files

I’ve got a container on my host running a service exposed to the Internet, currently via a lxc proxy (config device add foo proxy etc), and the log it generates is via a mounted file from the host so that I can use fail2ban on the host.

You may have spotted my problem already - all the IPs on the log for external access are the proxy’s address, so fail2ban cannot work.

Can anyone suggest a way to set up my networking so that the original IPs appear in the log? (Hi @tomp !) I guess ideally I’d have a shared IP between host and container(s) with certain ports routed in to specific containers. Or perhaps I should just share the network? Or can proxying handle this natively? I see there’s a proxy_protocol setting, but the docs do not explain how to make this work.


Ok I think I fixed this. With some judicious forum searching, I found Making sure that IP's "connected" to the containers gameserver proxy shows users real IP? - #5 by tomp and my Dovecot service is now showing the rip properly. This is some sort of black magic. :grinning:

1 Like

Glad to hear you got it working.

Did you use nat mode with the proxy?

Yep, works like a charm. Cheers!

For some background, I am migrating some services off a very old Linode server (created 11 years ago) which is on 18.04 but 32-bit, which is preventing further dist-upgrades and crucially I cannot upgrade LXD any more either, so I have no migration options. I’ve rebuilt a few things but I just did a filthy hack by copying /var/lib/lxd into a new 18.04 64 bit instance and doing an lxd.migrate there. Phew.

1 Like