fail2ban 失敗 2 禁止登錄嘗試到 docker 容器中的 smtp (postfix) 伺服器

我的主機 / docker 設置有如下問題：主機執行 fail2ban，它從 docker 容器訪問 mail.log 文件，這些文件映射到一個卷上。這一切都很好，我定義了一個 jail.local

[postfix-sasl]
enabled  = true
port     = smtpd
filter   = postfix-sasl
logpath  = /var/lib/docker/volumes/smtp2/_data/mail.log
bantime  = 604800
maxretry = 5
action = docker-action

和一個過濾器 postfix-sasl.conf

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
_port = (?::\d+)?
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)            authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex = authentication failed: Connection lost to authentication server$
[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

以及作為 docker-action.conf 的動作

[Definition]  
actionstart =
actionstop =
actioncheck = iptables -n -L FORWARD | grep -q 'DOCKER[ \t]'
actionban = iptables -I DOCKER 1 -s <ip> -j DROP
actionunban = iptables -D DOCKER -s <ip> -j DROP

一切似乎都很好，甚至得到了

2018-08-14 16:51:24,048 fail2ban.actions        [26209]: WARNING [postfix-sasl] 181.214.206.133 already banned

在 iptables -S 中，我想要以下條目：

-A DOCKER -s 181.214.206.133/32 -j DROP

但是在我的容器中，所有的嘗試仍然像這樣進入

Aug 14 17:34:28 smtp2 postfix/smtpd[16114]: warning: unknown[181.214.206.133]: SASL LOGIN authentication failed: authentication failure
Aug 14 17:34:29 smtp2 postfix/smtpd[16114]: disconnect from unknown[181.214.206.133] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Aug 14 17:34:52 smtp2 postfix/smtpd[16114]: connect from unknown[181.214.206.133]

來自 iptables -S 的輸出

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N DOCKER-USER
-N f2bd-postfix-sasl
-N fail2ban-postfix
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-loggireject-input
-A INPUT -j ufw-track-input
-A FORWARD -p tcp -m multiport --dports 25 -j fail2ban-postfix
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -s 69.10.48.187/32 -j DROP
-A DOCKER -s 181.214.206.133/32 -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN

iptables -vnL FORWARD 的輸出 | grep 碼頭工人

0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate  ELATED,ESTABLISHED 
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0

誰能向我解釋一下，為什麼這些請求仍然被轉發到 docker 容器？我錯過了什麼嗎？

您的DOCKER鏈僅從 呼叫FORWARD。從數字零可以看出，沒有達到規則。也嘗試從 呼叫DOCKER鏈INPUT。

引用自：https://unix.stackexchange.com/questions/462700