Fail2ban and iptables - problem with host being blocked

Greetings everyone!

Been a little while since posting. I ran into a unique one today.

We use an RBL list that is sync’d with an ipset ruleset and then access it with iptables using the advanced custom rule -I INPUT 1 -m set --match-set rbl src -j DROP. This works well.

We have some users that are listed as a trusted network on the freepbx firewall, but have somehow gotten themselves blocked on a the RBL list we use.

It appears as if the iptables command above is inserting the rule at a spot in the chain that will cause the users to be blocked, even though they are on a trusted network.

Hoping someone else can suggest where to add this rule such that the trusted and local ip lists are allowed through and not blocked fist by the RBL or fail2ban rules?

Hoping for some insight. Im not sure where else to consider inserting the rule.

Thanks,

No one has any thoughts on this? I just had another user get themselves blocked.

I would think moving the chain in which it is associated would resolve this just fine, I unfortunately do not know where.

Thanks

In supported versions of fail2ban it is in jail.conf

.
.
# Specify chain where jumps would need to be added in iptables-* actions                                                                                                                   
chain = INPUT           
.
.

@dicko thanks for the reply.

I should probably clarify the point a little bit. I have an RBL list that I use for this PBX. I had it set to insert the command to check against the ipset list at the top of the INPUT chain. The problem was if an IP address ended up on the RBL there, even if it was whitelisted or a trusted network, it gets blocked.

I am wondering if there is a better place to insert my rule than the INPUT chain, such that even if somehow the user gets on the black list, the white list / trusted network trumps it and allows the connection through.

I toyed with the idea of inserting it into the fpbxreject chain, which appears below the trusted networks etc.

Thoughts?

you could use A (for APPEND )where you had I (for INSERT)

And given that you can add ‘user defined’ chains wherever you want

User-Defined Chains | Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort.

you can put rules in whatever chain you want so just need to prioritixe your chains (best not to reuse other chains)