swissmakers_gmbh/fail2ban-ui
12
1
Fork 0
mirror of https://github.com/swissmakers/fail2ban-ui.git synced 2026-04-11 13:47:05 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update docs and mention nftables vs iptables

Browse Source
This commit is contained in:
Michael Reber
2026-01-21 18:08:40 +01:00
parent 3bfd9d5cdf
commit efe48c0e59
2 changed files with 83 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
README.md
View File

@@ -896,6 +896,46 @@ journalctl -u fail2ban-ui.service -f
3. Add remote server via SSH or API agent 3. Add remote server via SSH or API agent
4. Verify server connection status 4. Verify server connection status
#### Fail2Ban Banaction Configuration (nftables vs iptables)
**Symptoms:** Fail2Ban fails to ban IPs with errors like:
- `Extension multiport revision 0 not supported, missing kernel module?`
- `iptables v1.8.11 (nf_tables): RULE_INSERT failed (No such file or directory)`
- `Error starting action Jail('jail-name')/iptables-multiport: 'Script error'`
**Cause:** Modern Linux distributions (Rocky Linux 9+, RHEL 9+, Fedora 36+, Debian 12+) use **nftables** as the default firewall backend instead of legacy iptables. When Fail2Ban is configured to use `iptables-multiport` or `iptables-allports`, it attempts to use legacy iptables modules that are not available in nftables-based systems.
**Solution:**
1. **For nftables-based systems (Rocky Linux 9+, RHEL 9+, Fedora 36+, Debian 12+):**
- Navigate to **Settings****Fail2Ban Settings**
- Change **Banaction** from `iptables-multiport` to `nftables-multiport`
- Change **Banaction Allports** from `iptables-allports` to `nftables-allports`
- Save settings and reload Fail2Ban
2. **For systems using firewalld (Rocky Linux / Red Hat):**
- If your system uses `firewalld` as the firewall management tool, you can use:
- **Banaction**: `firewallcmd-multiport`
- **Banaction Allports**: `firewallcmd-allports`
- Alternatively, you can still use `nftables-multiport` if firewalld is configured to use nftables backend (which is the default in RHEL 9+)
3. **Verify your system's firewall backend:**
```bash
# Check if using nftables
iptables --version
# Output: iptables v1.8.11 (nf_tables) indicates nftables backend
# Check if firewalld is active
systemctl status firewalld
```
**Note:** The Fail2Ban UI provides all common banaction options in the Settings dropdown, including:
- `nftables-multiport` / `nftables-allports` (for nftables-based systems)
- `firewallcmd-multiport` / `firewallcmd-allports` (for firewalld-based systems)
- `iptables-multiport` / `iptables-allports` (for legacy iptables systems)
After changing the banaction, Fail2Ban will automatically reload and apply the new configuration.
#### OIDC Authentication Issues #### OIDC Authentication Issues
**Symptoms:** Cannot login, redirected to provider but authentication fails **Symptoms:** Cannot login, redirected to provider but authentication fails

43
deployment/container/README.md
View File

@@ -10,6 +10,7 @@ A comprehensive guide for building and deploying Fail2Ban UI using containers (D
- [Volume Mounts](#volume-mounts) - [Volume Mounts](#volume-mounts)
- [Configuration](#configuration) - [Configuration](#configuration)
- [Docker Compose](#docker-compose) - [Docker Compose](#docker-compose)
- [Fail2Ban Banaction Configuration](#fail2ban-banaction-configuration)
- [SELinux Configuration](#selinux-configuration) - [SELinux Configuration](#selinux-configuration)
- [Troubleshooting](#troubleshooting) - [Troubleshooting](#troubleshooting)
@@ -361,6 +362,44 @@ See `docker-compose-allinone.example.yml` in the project root for the complete c
--- ---
## Fail2Ban Banaction Configuration
### nftables vs iptables
Modern Linux distributions (Rocky Linux 9+, RHEL 9+, Fedora 36+, Debian 12+) use **nftables** as the default firewall backend instead of legacy iptables. When Fail2Ban is configured to use `iptables-multiport` or `iptables-allports`, it may fail with errors like:
- `Extension multiport revision 0 not supported, missing kernel module?`
- `iptables v1.8.11 (nf_tables): RULE_INSERT failed (No such file or directory)`
**Solution:** Configure Fail2Ban to use nftables-based actions:
1. Access the Fail2Ban UI web interface
2. Navigate to **Settings** → **Fail2Ban Settings**
3. Change **Banaction** from `iptables-multiport` to `nftables-multiport`
4. Change **Banaction Allports** from `iptables-allports` to `nftables-allports`
5. Save settings (Fail2Ban will automatically reload)
### firewalld (Rocky Linux / Red Hat)
For systems using `firewalld` as the firewall management tool (common on Rocky Linux and Red Hat Enterprise Linux), you can use:
- **Banaction**: `firewallcmd-multiport`
- **Banaction Allports**: `firewallcmd-allports`
Alternatively, if firewalld is configured to use the nftables backend (default in RHEL 9+), you can use `nftables-multiport` / `nftables-allports` as described above.
**Verify your system's firewall backend:**
```bash
# Check if using nftables
iptables --version
# Output: iptables v1.8.11 (nf_tables) indicates nftables backend
# Check if firewalld is active
systemctl status firewalld
```
---
## SELinux Configuration ## SELinux Configuration
If SELinux is enabled on your system, you must apply the required SELinux policies to allow the container to communicate with Fail2Ban. If SELinux is enabled on your system, you must apply the required SELinux policies to allow the container to communicate with Fail2Ban.
@@ -406,6 +445,10 @@ You should see:
## Troubleshooting ## Troubleshooting
### Fail2Ban Cannot Ban IPs (nftables/firewalld Issues)
If Fail2Ban fails to ban IPs with errors related to iptables or multiport extensions, see the [Fail2Ban Banaction Configuration](#fail2ban-banaction-configuration) section above for detailed solutions.
### UI Not Accessible ### UI Not Accessible
**Symptoms:** Cannot access web interface **Symptoms:** Cannot access web interface