[Resolved] Fail2ban and iptables : IP bans not blocked

erdoukki · March 1, 2021, 4:59pm

My fail2ban bans but rules of iptables do not block traffic !

root@LPM:~# fail2ban-client status
Status
|- Number of jail:	4
`- Jail list:	ddos, dropbear, nextcloud, portscan
root@LPM:~# fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	9
|  `- File list:	/var/log/messages
`- Actions
   |- Currently banned:	2
   |- Total banned:	2
   `- Banned IP list:	37.170.77.195 37.164.202.152
root@LPM:~#

root@LPM:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-nextcloud  tcp  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:52900 /* !fw3: Allow-Wireguard-Inbound */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_WG_NDDC_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination         
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
FLOWOFFLOAD  all  --  anywhere             anywhere             /* !fw3: Traffic offloading */ ctstate RELATED,ESTABLISHED FLOWOFFLOAD hw
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_WG_NDDC_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_WG_NDDC_output  all  --  anywhere             anywhere             /* !fw3 */

Chain f2b-nextcloud (1 references)
target     prot opt source               destination         
REJECT     all  --  37.164.202.152       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  37-170-77-195.coucou-networks.fr  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere            

Chain forwarding_WG_NDDC_rule (1 references)
target     prot opt source               destination         

Chain forwarding_dmz_rule (1 references)
target     prot opt source               destination         

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_WG_NDDC_rule (1 references)
target     prot opt source               destination         

Chain input_dmz_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_WG_NDDC_rule (1 references)
target     prot opt source               destination         

Chain output_dmz_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (3 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_dest_ACCEPT (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_forward (1 references)
target     prot opt source               destination         
forwarding_WG_NDDC_rule  all  --  anywhere             anywhere             /* !fw3: Custom WG_NDDC forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone WG_NDDC to wan forwarding policy */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone WG_NDDC to lan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_WG_NDDC_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_input (1 references)
target     prot opt source               destination         
input_WG_NDDC_rule  all  --  anywhere             anywhere             /* !fw3: Custom WG_NDDC input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_WG_NDDC_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_output (1 references)
target     prot opt source               destination         
output_WG_NDDC_rule  all  --  anywhere             anywhere             /* !fw3: Custom WG_NDDC output rule chain */
zone_WG_NDDC_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_dest_ACCEPT (2 references)
target     prot opt source               destination         

Chain zone_dmz_dest_REJECT (1 references)
target     prot opt source               destination         

Chain zone_dmz_forward (0 references)
target     prot opt source               destination         
forwarding_dmz_rule  all  --  anywhere             anywhere             /* !fw3: Custom dmz forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone dmz to wan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_dmz_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_input (0 references)
target     prot opt source               destination         
input_dmz_rule  all  --  anywhere             anywhere             /* !fw3: Custom dmz input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_dmz_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_output (0 references)
target     prot opt source               destination         
output_dmz_rule  all  --  anywhere             anywhere             /* !fw3: Custom dmz output rule chain */
zone_dmz_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_src_ACCEPT (1 references)
target     prot opt source               destination         

Chain zone_lan_dest_ACCEPT (5 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_dmz_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to dmz forwarding policy */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_WG_NDDC_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to WG_NDDC forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_ACCEPT (4 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */

dibdot · March 1, 2021, 5:12pm

Maybe banIP is worth trying...

frollic · March 1, 2021, 5:15pm

and what does the fail2ban log say ?

erdoukki · March 1, 2021, 5:17pm

2021-03-01 17:55:40,945 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 17:55:40
2021-03-01 17:55:40,950 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 17:55:40
2021-03-01 17:55:41,102 fail2ban.actions        [16405]: WARNING [nextcloud] 37.166.71.129 already banned
2021-03-01 17:55:41,213 fail2ban.actions        [16405]: WARNING [nextcloud] 37.166.71.129 already banned
2021-03-01 17:55:41,221 fail2ban.actions        [16405]: WARNING [nextcloud] 37.166.71.129 already banned

manually unban to test again :

2021-03-01 18:17:49,571 fail2ban.actions        [16405]: NOTICE  [nextcloud] Unban 37.166.71.129
2021-03-01 18:18:45,328 fail2ban.ipdns          [16405]: WARNING Unable to find a corresponding IP address for LPM: [Errno -2] Name does not resolve
2021-03-01 18:18:45,342 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 18:18:44
2021-03-01 18:18:45,346 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 18:18:44
2021-03-01 18:18:45,351 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 18:18:44
2021-03-01 18:18:45,356 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 18:18:44
2021-03-01 18:19:15,193 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 18:19:14
2021-03-01 18:19:15,234 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 18:19:14
2021-03-01 18:19:15,247 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 18:19:14
2021-03-01 18:19:15,257 fail2ban.filter         [16405]: INFO    [nextcloud] Found 37.166.71.129 - 2021-03-01 18:19:14
2021-03-01 18:19:15,392 fail2ban.actions        [16405]: NOTICE  [nextcloud] Ban 37.166.71.129

frollic · March 1, 2021, 5:19pm

you can use fail2ban-client to manually ban an IP, see how that goes, and what the error (if any) is.

Temp raising the log verbosity might be a good idea.

I don't use iptables myself, but verify that the drop/reject action applies on all traffic from IP, not only new connections.

pavelgl · March 1, 2021, 5:29pm

Looking at your INPUT chain, the fail2ban rule should be the only one working rule.

The first rule jumps to f2b-nextcloud, where the two banned address are listed and should be rejected.

The second rule accepts ALL the traffic, and makes all rules below meanless.

erdoukki · March 1, 2021, 5:45pm

root@LPM:~# iptables-save

# Generated by iptables-save v1.8.3 on Mon Mar  1 18:43:15 2021
*nat
:PREROUTING ACCEPT [139:20301]
:INPUT ACCEPT [95:6320]
:OUTPUT ACCEPT [738:49421]
:POSTROUTING ACCEPT [121:8393]
:postrouting_WG_NDDC_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_WG_NDDC_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_WG_NDDC_postrouting - [0:0]
:zone_WG_NDDC_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i WG_NDDC -m comment --comment "!fw3" -j zone_WG_NDDC_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o WG_NDDC -m comment --comment "!fw3" -j zone_WG_NDDC_postrouting
-A zone_WG_NDDC_postrouting -m comment --comment "!fw3: Custom WG_NDDC postrouting rule chain" -j postrouting_WG_NDDC_rule
-A zone_WG_NDDC_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_WG_NDDC_prerouting -m comment --comment "!fw3: Custom WG_NDDC prerouting rule chain" -j prerouting_WG_NDDC_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.16/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: WEB (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.16/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WEBS (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.16/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 82.65.221.177
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.16/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 82.65.221.177
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.159/32 -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: TURN (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.159/32 -p udp -m udp --dport 3478 -m comment --comment "!fw3: TURN (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: postfix (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p udp -m udp --dport 25 -m comment --comment "!fw3: postfix (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: postfix (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p udp -m udp --dport 587 -m comment --comment "!fw3: postfix (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: dovecot (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p udp -m udp --dport 993 -m comment --comment "!fw3: dovecot (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: metronome (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p udp -m udp --dport 5222 -m comment --comment "!fw3: metronome (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: metronome (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.207/32 -p udp -m udp --dport 5269 -m comment --comment "!fw3: metronome (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.112/32 -p tcp -m tcp --dport 45125 -m comment --comment "!fw3: TORRENT (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_postrouting -s 10.4.2.0/24 -d 10.4.2.112/32 -p udp -m udp --dport 45125 -m comment --comment "!fw3: TORRENT (reflection)" -j SNAT --to-source 10.4.2.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: WEB (reflection)" -j DNAT --to-destination 10.4.2.16:80
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WEBS (reflection)" -j DNAT --to-destination 10.4.2.16:443
-A zone_lan_prerouting -s 10.4.2.0/24 -d 82.65.221.177/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 10.4.2.16:443
-A zone_lan_prerouting -s 10.4.2.0/24 -d 82.65.221.177/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 10.4.2.16:80
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: TURN (reflection)" -j DNAT --to-destination 10.4.2.159:3478
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p udp -m udp --dport 3478 -m comment --comment "!fw3: TURN (reflection)" -j DNAT --to-destination 10.4.2.159:3478
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: postfix (reflection)" -j DNAT --to-destination 10.4.2.207:25
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p udp -m udp --dport 25 -m comment --comment "!fw3: postfix (reflection)" -j DNAT --to-destination 10.4.2.207:25
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: postfix (reflection)" -j DNAT --to-destination 10.4.2.207:587
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p udp -m udp --dport 587 -m comment --comment "!fw3: postfix (reflection)" -j DNAT --to-destination 10.4.2.207:587
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: dovecot (reflection)" -j DNAT --to-destination 10.4.2.207:993
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p udp -m udp --dport 993 -m comment --comment "!fw3: dovecot (reflection)" -j DNAT --to-destination 10.4.2.207:993
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: metronome (reflection)" -j DNAT --to-destination 10.4.2.207:5222
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p udp -m udp --dport 5222 -m comment --comment "!fw3: metronome (reflection)" -j DNAT --to-destination 10.4.2.207:5222
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: metronome (reflection)" -j DNAT --to-destination 10.4.2.207:5269
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p udp -m udp --dport 5269 -m comment --comment "!fw3: metronome (reflection)" -j DNAT --to-destination 10.4.2.207:5269
-A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Adblock DNS, port 53" -j DNAT --to-destination 10.4.2.1:53
-A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Adblock DNS, port 53" -j DNAT --to-destination 10.4.2.1:53
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p tcp -m tcp --dport 45125 -m comment --comment "!fw3: TORRENT (reflection)" -j DNAT --to-destination 10.4.2.112:45125
-A zone_lan_prerouting -s 10.4.2.0/24 -d 192.168.0.150/32 -p udp -m udp --dport 45125 -m comment --comment "!fw3: TORRENT (reflection)" -j DNAT --to-destination 10.4.2.112:45125
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -d 82.65.221.177/32 -p udp -m udp --dport 52900 -m comment --comment "!fw3: WIREGUARD" -j REDIRECT --to-ports 52900
-A zone_wan_prerouting -d 192.168.0.150/32 -p udp -m udp --dport 52900 -m comment --comment "!fw3: WG" -j REDIRECT --to-ports 52900
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: WEB" -j DNAT --to-destination 10.4.2.16:80
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WEBS" -j DNAT --to-destination 10.4.2.16:443
-A zone_wan_prerouting -d 82.65.221.177/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 10.4.2.16:443
-A zone_wan_prerouting -d 82.65.221.177/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 10.4.2.16:80
-A zone_wan_prerouting -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: TURN" -j DNAT --to-destination 10.4.2.159:3478
-A zone_wan_prerouting -p udp -m udp --dport 3478 -m comment --comment "!fw3: TURN" -j DNAT --to-destination 10.4.2.159:3478
-A zone_wan_prerouting -p tcp -m tcp --dport 25 -m comment --comment "!fw3: postfix" -j DNAT --to-destination 10.4.2.207:25
-A zone_wan_prerouting -p udp -m udp --dport 25 -m comment --comment "!fw3: postfix" -j DNAT --to-destination 10.4.2.207:25
-A zone_wan_prerouting -p tcp -m tcp --dport 587 -m comment --comment "!fw3: postfix" -j DNAT --to-destination 10.4.2.207:587
-A zone_wan_prerouting -p udp -m udp --dport 587 -m comment --comment "!fw3: postfix" -j DNAT --to-destination 10.4.2.207:587
-A zone_wan_prerouting -p tcp -m tcp --dport 993 -m comment --comment "!fw3: dovecot" -j DNAT --to-destination 10.4.2.207:993
-A zone_wan_prerouting -p udp -m udp --dport 993 -m comment --comment "!fw3: dovecot" -j DNAT --to-destination 10.4.2.207:993
-A zone_wan_prerouting -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: metronome" -j DNAT --to-destination 10.4.2.207:5222
-A zone_wan_prerouting -p udp -m udp --dport 5222 -m comment --comment "!fw3: metronome" -j DNAT --to-destination 10.4.2.207:5222
-A zone_wan_prerouting -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: metronome" -j DNAT --to-destination 10.4.2.207:5269
-A zone_wan_prerouting -p udp -m udp --dport 5269 -m comment --comment "!fw3: metronome" -j DNAT --to-destination 10.4.2.207:5269
-A zone_wan_prerouting -p tcp -m tcp --dport 45125 -m comment --comment "!fw3: TORRENT" -j DNAT --to-destination 10.4.2.112:45125
-A zone_wan_prerouting -p udp -m udp --dport 45125 -m comment --comment "!fw3: TORRENT" -j DNAT --to-destination 10.4.2.112:45125
COMMIT
# Completed on Mon Mar  1 18:43:15 2021
# Generated by iptables-save v1.8.3 on Mon Mar  1 18:43:15 2021
*raw
:PREROUTING ACCEPT [2124:265799]
:OUTPUT ACCEPT [1679:464404]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Mon Mar  1 18:43:15 2021
# Generated by iptables-save v1.8.3 on Mon Mar  1 18:43:15 2021
*mangle
:PREROUTING ACCEPT [38634:5069116]
:INPUT ACCEPT [31508:4352641]
:FORWARD ACCEPT [6376:442901]
:OUTPUT ACCEPT [28900:26237492]
:POSTROUTING ACCEPT [35099:26665849]
COMMIT
# Completed on Mon Mar  1 18:43:15 2021
# Generated by iptables-save v1.8.3 on Mon Mar  1 18:43:15 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-nextcloud - [0:0]
:forwarding_WG_NDDC_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_WG_NDDC_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_WG_NDDC_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_WG_NDDC_dest_ACCEPT - [0:0]
:zone_WG_NDDC_forward - [0:0]
:zone_WG_NDDC_input - [0:0]
:zone_WG_NDDC_output - [0:0]
:zone_WG_NDDC_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -p tcp -j f2b-nextcloud
-A INPUT -p tcp -j f2b-nextcloud
-A INPUT -p tcp -j f2b-nextcloud
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -p udp -m udp --dport 52900 -m comment --comment "!fw3: Allow-Wireguard-Inbound" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i WG_NDDC -m comment --comment "!fw3" -j zone_WG_NDDC_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i WG_NDDC -m comment --comment "!fw3" -j zone_WG_NDDC_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o WG_NDDC -m comment --comment "!fw3" -j zone_WG_NDDC_output
-A f2b-nextcloud -s 37.166.71.129/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -s 37.164.251.56/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -s 37.164.202.152/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -j RETURN
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_WG_NDDC_dest_ACCEPT -o WG_NDDC -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_WG_NDDC_dest_ACCEPT -o WG_NDDC -m comment --comment "!fw3" -j ACCEPT
-A zone_WG_NDDC_forward -m comment --comment "!fw3: Custom WG_NDDC forwarding rule chain" -j forwarding_WG_NDDC_rule
-A zone_WG_NDDC_forward -m comment --comment "!fw3: Zone WG_NDDC to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_WG_NDDC_forward -m comment --comment "!fw3: Zone WG_NDDC to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_WG_NDDC_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_WG_NDDC_forward -m comment --comment "!fw3" -j zone_WG_NDDC_dest_ACCEPT
-A zone_WG_NDDC_input -m comment --comment "!fw3: Custom WG_NDDC input rule chain" -j input_WG_NDDC_rule
-A zone_WG_NDDC_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_WG_NDDC_input -m comment --comment "!fw3" -j zone_WG_NDDC_src_ACCEPT
-A zone_WG_NDDC_output -m comment --comment "!fw3: Custom WG_NDDC output rule chain" -j output_WG_NDDC_rule
-A zone_WG_NDDC_output -m comment --comment "!fw3" -j zone_WG_NDDC_dest_ACCEPT
-A zone_WG_NDDC_src_ACCEPT -i WG_NDDC -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to WG_NDDC forwarding policy" -j zone_WG_NDDC_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Mar  1 18:43:15 2021

where do I am wrong ?

pavelgl · March 1, 2021, 6:20pm

iptables-save looks OK.
When you show the result of iptables -L, add option -v and so the input/output interfaces will be listed too.
If the nextcloud service is hosted on external storage on the OpenWrt device, everytnig should work.
If it is hosted by device no the LAN, INPUT is not the right chain.

erdoukki · March 1, 2021, 6:23pm

[quote="pavelgl, post:8, topic:90057"]
When you show the result of iptables -L, add option -v and so the input/output interfaces will be listed too.[/quote]

root@LPM:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 104K   68M f2b-nextcloud  tcp  --  any    any     anywhere             anywhere            
 110K   69M f2b-nextcloud  tcp  --  any    any     anywhere             anywhere            
 111K   69M f2b-nextcloud  tcp  --  any    any     anywhere             anywhere            
 4311  332K ACCEPT     all  --  lo     any     anywhere             anywhere             /* !fw3 */
 113K   70M input_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom input rule chain */
 107K   69M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID /* !fw3 */
 1475 85352 syn_flood  tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:52900 /* !fw3: Allow-Wireguard-Inbound */
 4512  572K zone_lan_input  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
  811 94713 zone_wan_input  all  --  wan    any     anywhere             anywhere             /* !fw3 */
    0     0 zone_WG_NDDC_input  all  --  WG_NDDC any     anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6606  841K forwarding_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
 5862  795K FLOWOFFLOAD  all  --  any    any     anywhere             anywhere             /* !fw3: Traffic offloading */ ctstate RELATED,ESTABLISHED FLOWOFFLOAD hw
 5862  795K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
   19   988 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID /* !fw3 */
  717 43983 zone_lan_forward  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
    8   412 zone_wan_forward  all  --  wan    any     anywhere             anywhere             /* !fw3 */
    0     0 zone_WG_NDDC_forward  all  --  WG_NDDC any     anywhere             anywhere             /* !fw3 */
    0     0 reject     all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4311  332K ACCEPT     all  --  any    lo      anywhere             anywhere             /* !fw3 */
96432   73M output_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom output rule chain */
86506   73M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID /* !fw3 */
    0     0 zone_lan_output  all  --  any    br-lan  anywhere             anywhere             /* !fw3 */
 9926  647K zone_wan_output  all  --  any    wan     anywhere             anywhere             /* !fw3 */
    0     0 zone_WG_NDDC_output  all  --  any    WG_NDDC  anywhere             anywhere             /* !fw3 */

Chain f2b-nextcloud (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     37-166-71-129.coucou-networks.fr  anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     37.164.251.56        anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     37.164.202.152       anywhere             reject-with icmp-port-unreachable
 311K  205M RETURN     all  --  any    any     anywhere             anywhere            

Chain forwarding_WG_NDDC_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_WG_NDDC_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_WG_NDDC_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
  401 24514 REJECT     tcp  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
  385 68135 REJECT     all  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1475 85352 RETURN     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    WG_NDDC  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
    0     0 ACCEPT     all  --  any    WG_NDDC  anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_WG_NDDC_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom WG_NDDC forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone WG_NDDC to wan forwarding policy */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone WG_NDDC to lan forwarding policy */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_WG_NDDC_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_WG_NDDC_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom WG_NDDC input rule chain */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_WG_NDDC_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_WG_NDDC_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom WG_NDDC output rule chain */
    0     0 zone_WG_NDDC_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  WG_NDDC any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    br-lan  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  717 43983 forwarding_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
  717 43983 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
   56  3364 zone_WG_NDDC_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to WG_NDDC forwarding policy */
   56  3364 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4512  572K input_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
 4512  572K zone_lan_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan output rule chain */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4512  572K ACCEPT     all  --  br-lan any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    wan     anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
10587  688K ACCEPT     all  --  any    wan     anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  any    wan     anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   412 forwarding_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  any    any     anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  any    any     anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
    8   412 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  811 94713 input_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
   25  2064 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
    0     0 ACCEPT     igmp --  any    any     anywhere             anywhere             /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
  786 92649 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9926  647K output_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan output rule chain */
 9926  647K zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  786 92649 reject     all  --  wan    any     anywhere             anywhere             /* !fw3 */

NextCloud is in my LAN zone on another device

pavelgl · March 1, 2021, 7:02pm

Try the following

iptables -I FORWARD 1 -j f2b-nextcloud

erdoukki · March 1, 2021, 7:18pm

working thanks !

I have put in my jail.local the following :

root@LPM:~# cat /etc/fail2ban/jail.local

[DEFAULT]
chain = FORWARD

and now it is working fine !
root@LPM:~# iptables -L -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  379 28709 ACCEPT     all  --  lo     any     anywhere             anywhere             /* !fw3 */
 4371  676K input_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom input rule chain */
 3798  549K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
   82  4264 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID /* !fw3 */
  243 14128 syn_flood  tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:52900 /* !fw3: Allow-Wireguard-Inbound */
  418  114K zone_lan_input  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
   73  9505 zone_wan_input  all  --  wan    any     anywhere             anywhere             /* !fw3 */
    0     0 zone_WG_NDDC_input  all  --  WG_NDDC any     anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   90  6480 f2b-nextcloud  tcp  --  any    any     anywhere             anywhere            
  271 20663 forwarding_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
  220 17254 FLOWOFFLOAD  all  --  any    any     anywhere             anywhere             /* !fw3: Traffic offloading */ ctstate RELATED,ESTABLISHED FLOWOFFLOAD hw
  220 17254 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID /* !fw3 */
   48  3233 zone_lan_forward  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
    3   176 zone_wan_forward  all  --  wan    any     anywhere             anywhere             /* !fw3 */
    0     0 zone_WG_NDDC_forward  all  --  WG_NDDC any     anywhere             anywhere             /* !fw3 */
    0     0 reject     all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  379 28709 ACCEPT     all  --  any    lo      anywhere             anywhere             /* !fw3 */
 3821  972K output_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom output rule chain */
 3197  928K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
   92  4784 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID /* !fw3 */
   19  2716 zone_lan_output  all  --  any    br-lan  anywhere             anywhere             /* !fw3 */
  513 36113 zone_wan_output  all  --  any    wan     anywhere             anywhere             /* !fw3 */
    0     0 zone_WG_NDDC_output  all  --  any    WG_NDDC  anywhere             anywhere             /* !fw3 */

Chain f2b-nextcloud (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     37-166-71-129.coucou-networks.fr  anywhere             reject-with icmp-port-unreachable
    3   192 REJECT     all  --  any    any     37.166.123.73        anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     37.164.251.56        anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     37.164.202.152       anywhere             reject-with icmp-port-unreachable
   87  6288 RETURN     all  --  any    any     anywhere             anywhere            

Chain forwarding_WG_NDDC_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_WG_NDDC_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_WG_NDDC_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   40  3973 REJECT     tcp  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
   30  5280 REJECT     all  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  243 14128 RETURN     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    WG_NDDC  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
    0     0 ACCEPT     all  --  any    WG_NDDC  anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_WG_NDDC_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom WG_NDDC forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone WG_NDDC to wan forwarding policy */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone WG_NDDC to lan forwarding policy */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_WG_NDDC_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_WG_NDDC_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom WG_NDDC input rule chain */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_WG_NDDC_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_WG_NDDC_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom WG_NDDC output rule chain */
    0     0 zone_WG_NDDC_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_WG_NDDC_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  WG_NDDC any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
 pkts bytes target     prot opt in     out     source               destination         
   19  2716 ACCEPT     all  --  any    br-lan  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   48  3233 forwarding_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
   48  3233 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
    0     0 zone_WG_NDDC_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to WG_NDDC forwarding policy */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  418  114K input_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
  418  114K zone_lan_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   19  2716 output_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan output rule chain */
   19  2716 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  418  114K ACCEPT     all  --  br-lan any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    wan     anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
  561 39346 ACCEPT     all  --  any    wan     anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  any    wan     anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   176 forwarding_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  any    any     anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  any    any     anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
    3   176 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   73  9505 input_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
    3   252 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
    0     0 ACCEPT     igmp --  any    any     anywhere             anywhere             /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
   70  9253 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  513 36113 output_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan output rule chain */
  513 36113 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   70  9253 reject     all  --  wan    any     anywhere             anywhere             /* !fw3 */

pavelgl · March 1, 2021, 7:39pm

You are welcome.
Keep in mind, that you should finetune the fail2ban configuration.
You have listed several services, some of which are running on the device itself (like dropbear).
So you should create several jails with INPUT and FORWARD chains included.

erdoukki · March 2, 2021, 9:34am

thanks @pavelgl
I also note that I need to restart service firewall before service fail2ban.
If not, I get multiples f2b rules in iptables and ban not work no more.

I just need to do

service firewall restart
service fail2ban restart

and bans get blocked again !

frollic · March 2, 2021, 9:42am

well,

the iptables entries f2b creates aren't persistent, if you restart your fw they'll be lost.
if you don't restart f2b at the same time, f2b will believe IPs are blocket, while the entries
are gone from iptables.

system · March 12, 2021, 9:42am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.