Apologies, I forgot
ipables -L as @dicko suggested doesn’t show interfaces (I always suggest/use
iptables -vnL). The first “accept all” rule should be for the loopback interface only, so should be OK.
To drop packets before any processing. Fail2ban only blocks previously seen bad actors. The blacklist blocks the IP(s) before they can try anything. I would not expect fail2ban to fire on a blacklisted IP it had not previously seen. If fail2ban has already seen the IP before adding to the blacklist, the IP still gets blocked. Which function performs the block doesn’t really matter. Adding to the blacklist insures the IP continues to be blocked after it falls off of fail2ban’s radar.
The blacklist is first (after housekeeping rules) in the fpbxfirewall chain. Sangoma elected to have a basically stock/vanilla fail2ban install, which places it first.in the input chain, and therefore before the fpbx firewall chain or any other FreePBX generated rules. Again, for blocking it doesn’t really matter as long as the blacklisted IP is blocked by one or the other.
Much more important is defining precedence for whitelisted/trusted IPs vs fail2ban. So far fail2ban is unaware of anything marked as trusted by the firewall. There are some changes pending in git that will optionally sync the f2b whitelist with firewall trusted addresses, hopefully they will be brought forward.
Why not? Adding to the blacklist should make the ban permanent.