As I said, anything you put in /etc/sysconfig/iptables will be loaded before fail2ban is loaded. So you can block or allow as you see fit.
We run our systems with some major additional firewall rules, once of which is to TARPIT anyone connecting from GeoIP locations that don’t have our customers in them. Since most attacks come from Asia and Eastern Europe, this blocks most of the junk that might otherwise make it through hardware firewalls.
Ahhhhh…the blissful silence of never seeing “unknown peers” in my our log files again! 