• This forum has a zero tolerance policy regarding spam. If you register here to publish advertising, your user account will be deleted without further questions.

UFW Firewall Regeln greifen nicht

p0se

Member
Hallo,

ich betreibe einen VPS auf dem mehrere Docker Container laufen.
Diese Container sind mit Fail2ban konfiguriert, Fail2ban ist mit der UFW konfiguriert.
Soweit klappt auch alles, Fail2ban erkennt fehlerhafte Authentifizierungen und die UFW erstellt daraufhin Firewall Regeln.
Diese greifen allerdings nicht, wird eine IP über UFW gesperrt, kann diese IP dennoch auf den Container (HTTPS) zugreifen.

Hier ein Beispiel.

Fail2ban
Code:
2023-03-27 08:04:01,172 fail2ban.filter         [680]: INFO    [npm] Found 82.113.99.92 - 2023-03-27 08:04:01
2023-03-27 08:04:43,124 fail2ban.filter         [680]: INFO    [npm] Found 82.113.99.92 - 2023-03-27 08:04:43
2023-03-27 08:04:45,828 fail2ban.filter         [680]: INFO    [npm] Found 82.113.99.92 - 2023-03-27 08:04:45
2023-03-27 08:04:45,995 fail2ban.actions        [680]: NOTICE  [npm] Ban 82.113.99.92

Greift die IP nach dem Ban erneut auf den Webserver zu, gibt Fail2ban folgenden Auszug:
Code:
2023-03-27 08:04:47,431 fail2ban.filter         [680]: INFO    [npm] Found 82.113.99.92 - 2023-03-27 08:04:47
2023-03-27 08:04:49,435 fail2ban.filter         [680]: INFO    [npm] Found 82.113.99.92 - 2023-03-27 08:04:49
2023-03-27 08:04:59,813 fail2ban.filter         [680]: INFO    [npm] Found 82.113.99.92 - 2023-03-27 08:04:59
2023-03-27 08:05:00,171 fail2ban.actions        [680]: NOTICE  [npm] 82.113.99.92 already banned


UFW
Code:
To                         Action      From
--                         ------      ----
Anywhere                   REJECT      82.113.99.92
Anywhere                   REJECT      102.214.191.138
Anywhere                   REJECT      43.136.27.80
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

10.0.0.2 80/tcp            ALLOW FWD   Anywhere
10.0.0.2 443/tcp           ALLOW FWD   Anywhere

iptables Auszug Chain ufw-user-input
Code:
Chain ufw-user-input (1 references)
target     prot opt source               destination
REJECT     all  --  82.113.99.92          anywhere             reject-with icmp-port-unreachable
REJECT     all  --  102.214.191.138      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  43.136.27.80         anywhere             reject-with icmp-port-unreachable

iptables Komplett
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere

Chain DOCKER (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             10.0.0.4             tcp dpt:9000
ACCEPT     tcp  --  anywhere             10.0.0.4             tcp dpt:8000
ACCEPT     tcp  --  anywhere             10.0.0.5             tcp dpt:3001
ACCEPT     tcp  --  anywhere             10.0.0.2             tcp dpt:https
ACCEPT     tcp  --  anywhere             10.0.0.2             tcp dpt:81
ACCEPT     tcp  --  anywhere             10.0.0.2             tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (4 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
ufw-user-forward  all  --  anywhere             anywhere
RETURN     all  --  10.0.0.0/8           anywhere
RETURN     all  --  172.16.0.0/12        anywhere
RETURN     all  --  192.168.0.0/16       anywhere
RETURN     udp  --  anywhere             anywhere             udp spt:domain dpts:1024:65535
ufw-docker-logging-deny  tcp  --  anywhere             192.168.0.0/16       tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny  tcp  --  anywhere             10.0.0.0/8           tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny  tcp  --  anywhere             172.16.0.0/12        tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny  udp  --  anywhere             192.168.0.0/16       udp dpts:0:32767
ufw-docker-logging-deny  udp  --  anywhere             10.0.0.0/8           udp dpts:0:32767
ufw-docker-logging-deny  udp  --  anywhere             172.16.0.0/12        udp dpts:0:32767
RETURN     all  --  anywhere             anywhere

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere

Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination

Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere

Chain ufw-docker-logging-deny (6 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW DOCKER BLOCK] "
DROP       all  --  anywhere             anywhere

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere

Chain ufw-reject-forward (1 references)
target     prot opt source               destination

Chain ufw-reject-input (1 references)
target     prot opt source               destination

Chain ufw-reject-output (1 references)
target     prot opt source               destination

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-track-forward (1 references)
target     prot opt source               destination

Chain ufw-track-input (1 references)
target     prot opt source               destination

Chain ufw-track-output (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             10.0.0.2             tcp dpt:http
ACCEPT     tcp  --  anywhere             10.0.0.2             tcp dpt:https

Chain ufw-user-input (1 references)
target     prot opt source               destination
REJECT     all  --  82.113.99.92          anywhere             reject-with icmp-port-unreachable
REJECT     all  --  102.214.191.138      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  43.136.27.80         anywhere             reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (1 references)
target     prot opt source               destination
 
Back
Top