When the Fail2ban trigger an IP ban action, I want to block all the ports on my Ubuntu Server. Right now, I use
banaction = iptables-allports and CSF. At this moment it only blocked SSH port, even if I use
iptables-allports in fail2ban.
I face this issue sites behind the Cloudflare reverse proxy.
This is an Ubuntu 18.04 Nginx server. I can view visitors IP address in nginx log files. So I believe this VPS
X-Forwarded-For in nginx configuration working as expected.
When I manually added an IP address to the CSF temporary ban list via SSH, now it again not blocked HTTP and HTTPS ports. This server support IPv4 and IPv6.
When I search the blocked IP it shows following outcome.
[email protected]:~# csf -g 43.250.242.xxx Table Chain num pkts bytes target prot opt in out source destination filter TOR 174 22 1320 REJECT all -- * * 43.250.242.xxx 0.0.0.0/0 reject-with icmp-port-unreachable filter TOR 2 0 0 REJECT all -- * * 43.250.242.xxx 0.0.0.0/0 reject-with icmp-port-unreachable filter TOR 6 0 0 REJECT all -- * * 43.250.242.xxx 0.0.0.0/0 reject-with icmp-port-unreachable IPSET: Set:cc_lk Match:43.250.242.xxx Setting:CC_ALLOW_PORTS Country:LK ip6tables: Table Chain num pkts bytes target prot opt in out source destination No matches found for 43.250.242.xxx in ip6tables
You can’t block these connections in iptables, because those IP addresses do not connect to your server. Instead, they connect to CloudFlare, and CloudFlare connects to your server. Because of this, iptables can only see the CloudFlare IP addresses.
Instead, you need to use IP address controls provided by your web server software or by CloudFlare.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.