iptables errors with ipset #4041

billfor · 2025-07-31T03:03:59Z

billfor
Jul 31, 2025

For Debian 12 I wanted to try switching from regular iptables to iptables-ipset or iptables-ipset-proto6, but I do seem to be getting some errors and was wondering, for fail2ban 1.0.2-2, if it is supposed to work "out of the box" before I go looking at things. I'm wondering if I should change all the ports to the actual numbers rather than the strings (e.g. http, https). Later versions of iptables are more strict.

The types of errors I get are related to invalid port/service `http,https' specified, when setting up the command.

2025-07-30 22:45:45,005 fail2ban.utils          [20431]: ERROR   72995020 -- exec: ipset -exist create f2b-nginx-bad-request hash:ip timeout 0
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto --dport http,https -m set --match-set f2b-nginx-bad-request src -j REJECT --reject-with icmp-port-unreachable >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto --dport http,https
-m set --match-set f2b-nginx-bad-request src -j REJECT --reject-with icmp-port-unreachable; }
done
2025-07-30 22:45:45,046 fail2ban.utils          [20431]: ERROR   72995020 -- stderr: "**iptables v1.8.9 (nf_tables): *invalid port/service** `http,https' specified"*
2025-07-30 22:45:45,059 fail2ban.utils          [20431]: ERROR   72995020 -- stderr: "Try `iptables -h' or 'iptables --help' for more information."
2025-07-30 22:45:45,076 fail2ban.utils          [20431]: ERROR   72995020 -- returned 2
2025-07-30 22:45:45,089 fail2ban.actions        [20431]: ERROR   Failed to execute ban jail 'nginx-bad-request' action 'iptables-ipset' info 'ActionInfo({'ip': '101.251.238.174', 'family': 'inet4', 'fid': <function Ac
tions.ActionInfo.<lambda> at 0x75aba5c8>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x75aba988>})': Error starting action Jail('nginx-bad-request')/iptables-ipset: 'Script error'
2025-07-30 22:45:45,155 fail2ban.actions        [20431]: NOTICE  [nginx-bad-request] Restore Ban 103.149.26.131

I also get errors like:

2025-07-30 22:37:31,096 fail2ban.utils          [14657]: ERROR   729dba70 -- exec: ipset -exist add f2b-sendmail-reject 103.114.217.196 timeout 0
2025-07-30 22:37:31,100 fail2ban.utils          [14657]: ERROR   729dba70 -- stderr: 'ipset v7.17: Timeout cannot be used: set was created without timeout support'
2025-07-30 22:37:31,103 fail2ban.utils          [14657]: ERROR   729dba70 -- returned 1

sebres · 2025-07-31T15:16:31Z

sebres
Jul 31, 2025
Maintainer

It looks like you're trying to use single-port action type for multiple ports.
Have been you overwritten action or banaction? Note that by default iptables based action have type = oneport:

fail2ban/config/action.d/iptables.conf

Lines 9 to 13 in ff3eca1

    
           # Option:  type 
        
           # Notes.:  type of the action. 
        
           # Values:  [ oneport | multiport | allports ]  Default: oneport 
        
           # 
        
           type = oneport

Anyway, the correct setting would be:

[DEFAULT]
banaction = iptables-ipset[type=multiport]
banaction_allports = iptables-ipset[type=allports]

However, I don't understand why you don't want use nftables action (which shall be default for debian now):

fail2ban/config/paths-debian.conf

Lines 10 to 13 in ff3eca1

    
           [DEFAULT] 
        
           banaction = nftables 
        
           banaction_allports = nftables[type=allports]

Especially because I see iptables v1.8.9 (nf_tables), that means that your native net-filter is nftables and iptables emulate it (it used as a mockup layer).

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

iptables errors with ipset #4041

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

iptables errors with ipset #4041

Uh oh!

Uh oh!

billfor Jul 31, 2025

Replies: 1 comment

Uh oh!

sebres Jul 31, 2025 Maintainer

billfor
Jul 31, 2025

sebres
Jul 31, 2025
Maintainer