mirror of
https://github.com/swissmakers/fail2ban-ui.git
synced 2026-04-11 05:37:07 +02:00
Update docs and mention nftables vs iptables
This commit is contained in:
40
README.md
40
README.md
@@ -896,6 +896,46 @@ journalctl -u fail2ban-ui.service -f
|
||||
3. Add remote server via SSH or API agent
|
||||
4. Verify server connection status
|
||||
|
||||
#### Fail2Ban Banaction Configuration (nftables vs iptables)
|
||||
|
||||
**Symptoms:** Fail2Ban fails to ban IPs with errors like:
|
||||
- `Extension multiport revision 0 not supported, missing kernel module?`
|
||||
- `iptables v1.8.11 (nf_tables): RULE_INSERT failed (No such file or directory)`
|
||||
- `Error starting action Jail('jail-name')/iptables-multiport: 'Script error'`
|
||||
|
||||
**Cause:** Modern Linux distributions (Rocky Linux 9+, RHEL 9+, Fedora 36+, Debian 12+) use **nftables** as the default firewall backend instead of legacy iptables. When Fail2Ban is configured to use `iptables-multiport` or `iptables-allports`, it attempts to use legacy iptables modules that are not available in nftables-based systems.
|
||||
|
||||
**Solution:**
|
||||
|
||||
1. **For nftables-based systems (Rocky Linux 9+, RHEL 9+, Fedora 36+, Debian 12+):**
|
||||
- Navigate to **Settings** → **Fail2Ban Settings**
|
||||
- Change **Banaction** from `iptables-multiport` to `nftables-multiport`
|
||||
- Change **Banaction Allports** from `iptables-allports` to `nftables-allports`
|
||||
- Save settings and reload Fail2Ban
|
||||
|
||||
2. **For systems using firewalld (Rocky Linux / Red Hat):**
|
||||
- If your system uses `firewalld` as the firewall management tool, you can use:
|
||||
- **Banaction**: `firewallcmd-multiport`
|
||||
- **Banaction Allports**: `firewallcmd-allports`
|
||||
- Alternatively, you can still use `nftables-multiport` if firewalld is configured to use nftables backend (which is the default in RHEL 9+)
|
||||
|
||||
3. **Verify your system's firewall backend:**
|
||||
```bash
|
||||
# Check if using nftables
|
||||
iptables --version
|
||||
# Output: iptables v1.8.11 (nf_tables) indicates nftables backend
|
||||
|
||||
# Check if firewalld is active
|
||||
systemctl status firewalld
|
||||
```
|
||||
|
||||
**Note:** The Fail2Ban UI provides all common banaction options in the Settings dropdown, including:
|
||||
- `nftables-multiport` / `nftables-allports` (for nftables-based systems)
|
||||
- `firewallcmd-multiport` / `firewallcmd-allports` (for firewalld-based systems)
|
||||
- `iptables-multiport` / `iptables-allports` (for legacy iptables systems)
|
||||
|
||||
After changing the banaction, Fail2Ban will automatically reload and apply the new configuration.
|
||||
|
||||
#### OIDC Authentication Issues
|
||||
|
||||
**Symptoms:** Cannot login, redirected to provider but authentication fails
|
||||
|
||||
@@ -10,6 +10,7 @@ A comprehensive guide for building and deploying Fail2Ban UI using containers (D
|
||||
- [Volume Mounts](#volume-mounts)
|
||||
- [Configuration](#configuration)
|
||||
- [Docker Compose](#docker-compose)
|
||||
- [Fail2Ban Banaction Configuration](#fail2ban-banaction-configuration)
|
||||
- [SELinux Configuration](#selinux-configuration)
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
|
||||
@@ -361,6 +362,44 @@ See `docker-compose-allinone.example.yml` in the project root for the complete c
|
||||
|
||||
---
|
||||
|
||||
## Fail2Ban Banaction Configuration
|
||||
|
||||
### nftables vs iptables
|
||||
|
||||
Modern Linux distributions (Rocky Linux 9+, RHEL 9+, Fedora 36+, Debian 12+) use **nftables** as the default firewall backend instead of legacy iptables. When Fail2Ban is configured to use `iptables-multiport` or `iptables-allports`, it may fail with errors like:
|
||||
|
||||
- `Extension multiport revision 0 not supported, missing kernel module?`
|
||||
- `iptables v1.8.11 (nf_tables): RULE_INSERT failed (No such file or directory)`
|
||||
|
||||
**Solution:** Configure Fail2Ban to use nftables-based actions:
|
||||
|
||||
1. Access the Fail2Ban UI web interface
|
||||
2. Navigate to **Settings** → **Fail2Ban Settings**
|
||||
3. Change **Banaction** from `iptables-multiport` to `nftables-multiport`
|
||||
4. Change **Banaction Allports** from `iptables-allports` to `nftables-allports`
|
||||
5. Save settings (Fail2Ban will automatically reload)
|
||||
|
||||
### firewalld (Rocky Linux / Red Hat)
|
||||
|
||||
For systems using `firewalld` as the firewall management tool (common on Rocky Linux and Red Hat Enterprise Linux), you can use:
|
||||
|
||||
- **Banaction**: `firewallcmd-multiport`
|
||||
- **Banaction Allports**: `firewallcmd-allports`
|
||||
|
||||
Alternatively, if firewalld is configured to use the nftables backend (default in RHEL 9+), you can use `nftables-multiport` / `nftables-allports` as described above.
|
||||
|
||||
**Verify your system's firewall backend:**
|
||||
```bash
|
||||
# Check if using nftables
|
||||
iptables --version
|
||||
# Output: iptables v1.8.11 (nf_tables) indicates nftables backend
|
||||
|
||||
# Check if firewalld is active
|
||||
systemctl status firewalld
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## SELinux Configuration
|
||||
|
||||
If SELinux is enabled on your system, you must apply the required SELinux policies to allow the container to communicate with Fail2Ban.
|
||||
@@ -406,6 +445,10 @@ You should see:
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Fail2Ban Cannot Ban IPs (nftables/firewalld Issues)
|
||||
|
||||
If Fail2Ban fails to ban IPs with errors related to iptables or multiport extensions, see the [Fail2Ban Banaction Configuration](#fail2ban-banaction-configuration) section above for detailed solutions.
|
||||
|
||||
### UI Not Accessible
|
||||
|
||||
**Symptoms:** Cannot access web interface
|
||||
|
||||
Reference in New Issue
Block a user