Chathu asked:
When the Fail2ban trigger an IP ban action, I want to block all the ports on my Ubuntu Server. Right now, I use banaction = iptables-allports and CSF. At this moment it only blocked SSH port, even if I use iptables-allports in fail2ban.
I face this issue sites behind the Cloudflare reverse proxy.
This is an Ubuntu 18.04 Nginx server. I can view visitors IP address in nginx log files. So I believe this VPS X-Forwarded-For in nginx configuration working as expected.
When I manually added an IP address to the CSF temporary ban list via SSH, now it again not blocked HTTP and HTTPS ports. This server support IPv4 and IPv6.
When I search the blocked IP it shows following outcome.
[email protected]:~# csf -g 43.250.242.xxx
Table Chain num pkts bytes target prot opt in out source destination
filter TOR 174 22 1320 REJECT all -- * * 43.250.242.xxx 0.0.0.0/0 reject-with icmp-port-unreachable
filter TOR 2 0 0 REJECT all -- * * 43.250.242.xxx 0.0.0.0/0 reject-with icmp-port-unreachable
filter TOR 6 0 0 REJECT all -- * * 43.250.242.xxx 0.0.0.0/0 reject-with icmp-port-unreachable
IPSET: Set:cc_lk Match:43.250.242.xxx Setting:CC_ALLOW_PORTS Country:LK
ip6tables:
Table Chain num pkts bytes target prot opt in out source destination
No matches found for 43.250.242.xxx in ip6tables
My answer:
You can’t block these connections in iptables, because those IP addresses do not connect to your server. Instead, they connect to CloudFlare, and CloudFlare connects to your server. Because of this, iptables can only see the CloudFlare IP addresses.
Instead, you need to use IP address controls provided by your web server software or by CloudFlare.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.