Iptables not working, trying to change openwrt to use drop policy

ciao, i have iptables, how can configure the firewall to use instead of:
Chain INPUT (policy ACCEPT)
to be
Chain INPUT (policy DROP)

i have a chain called: f2b-postfix-sasl
and it works with fail2ban and it shows in iptables, but i think the problem is that it accepts the packets it stops the fail2ban bans, so it should first drop if there is a ban via iptables and then accept.
how can i configure ? is it possible to understand what i am doing?

root@home:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

f2b-postfix-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,submission,imap3,imaps,pop3,pop3s,submission

ACCEPT     udp  --  anywhere             anywhere             udp dpt:l2f
ACCEPT     udp  --  anywhere             anywhere             udp dpt:4500
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_sygnusvpn_input  all  --  anywhere             anywhere             /* !fw3 */
zone_openvpn_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  192.168.140.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  192.168.17.0/24      anywhere            
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_sygnusvpn_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_openvpn_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_sygnusvpn_output  all  --  anywhere             anywhere             /* !fw3 */
zone_openvpn_output  all  --  anywhere             anywhere             /* !fw3 */

Chain MINIUPNPD (2 references)
target     prot opt source               destination         

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination         
REJECT     all  --  ip-38-53.ZervDNS     anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere            

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_openvpn_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_sygnusvpn_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_openvpn_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_sygnusvpn_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_openvpn_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_sygnusvpn_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (5 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (8 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_openvpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to openvpn forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_openvpn_dest_ACCEPT (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_openvpn_forward (1 references)
target     prot opt source               destination         
forwarding_openvpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom openvpn forwarding rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone openvpn to lan forwarding policy */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone openvpn to wan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_openvpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_openvpn_input (1 references)
target     prot opt source               destination         
input_openvpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom openvpn input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_openvpn_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_openvpn_output (1 references)
target     prot opt source               destination         
output_openvpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom openvpn output rule chain */
zone_openvpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_openvpn_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_sygnusvpn_dest_ACCEPT (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_sygnusvpn_forward (1 references)
target     prot opt source               destination         
forwarding_sygnusvpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom sygnusvpn forwarding rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone sygnusvpn to lan forwarding policy */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone sygnusvpn to wan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
MINIUPNPD  all  --  anywhere             anywhere            
zone_sygnusvpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_sygnusvpn_input (1 references)
target     prot opt source               destination         
input_sygnusvpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom sygnusvpn input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_sygnusvpn_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_sygnusvpn_output (1 references)
target     prot opt source               destination         
output_sygnusvpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom sygnusvpn output rule chain */
zone_sygnusvpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_sygnusvpn_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (4 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (2 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
MINIUPNPD  all  --  anywhere             anywhere            
zone_wan_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (2 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn /* !fw3: Allow-OpenVPN-Inbound */
ACCEPT     ipv6 --  anywhere             anywhere             /* !fw3: Allow-protocol 41 */
ACCEPT     ipv6-nonxt--  anywhere             anywhere             /* !fw3: Allow-protocol 59 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn /* !fw3: Allow-OpenVPN-Inbound */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (2 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */
root@home:~# 

you can see for some reason fail2ban is not working with openwrt firewall:

2019-10-15 21:04:44,915 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:04:44
2019-10-15 21:07:20,120 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:07:19
2019-10-15 21:07:50,818 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:07:50
2019-10-15 21:07:50,956 fail2ban.actions        [7477]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-15 21:10:30,388 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:10:29
2019-10-15 21:11:01,081 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:11:00
2019-10-15 21:12:10,973 fail2ban.filter         [7477]: INFO    [wp-auth] Found 88.102.13.246 - 2019-10-15 21:12:10
2019-10-15 21:13:31,423 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:13:31
2019-10-15 21:13:31,563 fail2ban.actions        [7477]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-15 21:13:59,375 fail2ban.filter         [7477]: INFO    [wp-xmlrpc] Found 13.238.247.195 - 2019-10-15 21:13:58
2019-10-15 21:14:02,119 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:14:01
2019-10-15 21:16:37,110 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:16:37
2019-10-15 21:17:05,212 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:17:04
2019-10-15 21:17:05,612 fail2ban.actions        [7477]: WARNING [postfix-sasl] 92.118.38.53 already banned
2019-10-15 21:19:49,596 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:19:49
2019-10-15 21:20:14,887 fail2ban.filter         [7477]: INFO    [postfix-sasl] Found 92.118.38.53 - 2019-10-15 21:20:14

even though there is a REJECT for the given IP address, it still opens a connection to the e-mail eg:

Oct 15 21:18:45 p3x-dc postfix/smtps/smtpd[10004]: warning: hostname ip-38-53.ZervDNS does not resolve to address 92.118.38.53: Name or service not known
Oct 15 21:18:45 p3x-dc postfix/smtps/smtpd[10004]: connect from unknown[92.118.38.53]
Oct 15 21:19:14 p3x-dc postfix/smtps/smtpd[10726]: warning: database /etc/aliases.db is older than source file /etc/aliases
Oct 15 21:19:14 p3x-dc postfix/smtps/smtpd[10726]: warning: hostname ip-38-53.ZervDNS does not resolve to address 92.118.38.53: Name or service not known
Oct 15 21:19:14 p3x-dc postfix/smtps/smtpd[10726]: connect from unknown[92.118.38.53]
Oct 15 21:19:49 p3x-dc postfix/smtps/smtpd[10004]: warning: unknown[92.118.38.53]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 15 21:19:58 p3x-dc postfix/smtps/smtpd[10004]: lost connection after AUTH from unknown[92.118.38.53]
Oct 15 21:19:58 p3x-dc postfix/smtps/smtpd[10004]: disconnect from unknown[92.118.38.53] ehlo=1 auth=0/1 rset=1 commands=2/3
Oct 15 21:20:14 p3x-dc postfix/smtps/smtpd[10726]: warning: unknown[92.118.38.53]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 15 21:20:24 p3x-dc postfix/smtps/smtpd[10726]: lost connection after AUTH from unknown[92.118.38.53]
Oct 15 21:20:24 p3x-dc postfix/smtps/smtpd[10726]: disconnect from unknown[92.118.38.53] ehlo=1 auth=0/1 rset=1 commands=2/3
Oct 15 21:21:50 p3x-dc postfix/smtps/smtpd[10726]: warning: hostname ip-38-53.ZervDNS does not resolve to address 92.118.38.53: Name or service not known
Oct 15 21:21:50 p3x-dc postfix/smtps/smtpd[10726]: connect from unknown[92.118.38.53]
Oct 15 21:22:18 p3x-dc postfix/smtps/smtpd[11320]: warning: database /etc/aliases.db is older than source file /etc/aliases
Oct 15 21:22:18 p3x-dc postfix/smtps/smtpd[11320]: warning: hostname ip-38-53.ZervDNS does not resolve to address 92.118.38.53: Name or service not known
Oct 15 21:22:18 p3x-dc postfix/smtps/smtpd[11320]: connect from unknown[92.118.38.53]
Oct 15 21:22:49 p3x-dc postfix/smtps/smtpd[10726]: warning: unknown[92.118.38.53]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 15 21:22:57 p3x-dc postfix/smtps/smtpd[10726]: lost connection after AUTH from unknown[92.118.38.53]
Oct 15 21:22:57 p3x-dc postfix/smtps/smtpd[10726]: disconnect from unknown[92.118.38.53] ehlo=1 auth=0/1 rset=1 commands=2/3

anyone been able to use fail2ban with openwrt?

Edit it in /etc/config/firewall

You might consider, to get rid of the firewall completely, as it is maintained by LuCI/uci , and use well documented (and understood) iptables rules directly.
This is especially handy, when using other packages, which fiddle around with iptables rules themselves.
Probably, you will need to build your own firmware image, for this to accomplish.
Like I do.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.