1

Topic: Firewall errors and fail2ban not working

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

Hi,

I got some errors from my firewall. Also fail2ban is not working. I think both issues are related.
My own research didn't success, so I'm asking here.
If I empty all rules of iptables, fail2ban is working. But then several other ports are opened. I'm not experienced enough to develop a safe firewall ruleset by myself.

Log from firewalld:

2019-03-04 16:32:13 WARNING: ipset not usable, disabling ipset usage in firewall.
2019-03-04 16:32:13 ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'
2019-03-04 16:32:13 WARNING: Failed to get and parse nf_conntrack_helper setting
2019-03-04 16:32:13 WARNING: ebtables not usable, disabling ethernet bridge firewall.
2019-03-04 16:32:13 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 87 failed

2019-03-04 16:32:13 ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 66 failed

2019-03-04 16:32:13 ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 66 failed

2019-03-04 16:32:13 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'PRE_iredmail' is not a chain

Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2019-03-04 16:32:13 ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.4.21: goto 'IN_iredmail' is not a chain

Error occurred at line: 2
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

2019-03-04 16:32:13 ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.4.21: goto 'IN_iredmail' is not a chain

Error occurred at line: 2
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

---------------------------------------------------------------------------------------------------------------------------------------------------
fail2ban tells me:

● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Mo 2019-03-04 16:32:16 CET; 35min ago
     Docs: man:fail2ban(1)
  Process: 544 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 892 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─892 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Mär 04 17:03:30 mail fail2ban.action[892]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-roundcube[ \t]' -- stderr: ''
Mär 04 17:03:30 mail fail2ban.action[892]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-roundcube[ \t]' -- returned 1
Mär 04 17:03:30 mail fail2ban.CommandAction[892]: ERROR Invariant check failed. Trying to restore a sane environment
Mär 04 17:03:30 mail fail2ban.action[892]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-roundcube
                                            iptables -w -F f2b-roundcube
                                            iptables -w -X f2b-roundcube -- stdout: ''...
Mär 04 17:03:30 mail fail2ban.action[892]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-roundcube
                                            iptables -w -F f2b-roundcube
                                            iptables -w -X f2b-roundcube -- stderr: "iptables v1.4.21: Couldn't load target `f2b-roundcube':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\nipta...
Mär 04 17:03:30 mail fail2ban.action[892]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve -j f2b-roundcube
                                            iptables -w -F f2b-roundcube
                                            iptables -w -X f2b-roundcube -- returned 1...
Mär 04 17:03:30 mail fail2ban.actions[892]: ERROR Failed to execute ban jail 'roundcube-iredmail' action 'iptables-multiport' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f0029e69398>, 'matches': u'Mar ...uthentication fai
Mär 04 17:05:59 mail fail2ban.filter[892]: INFO [postfix-iredmail] Found 37.49.224.125
Mär 04 17:05:59 mail fail2ban.filter[892]: INFO [postfix-pregreet-iredmail] Found 37.49.224.125
Mär 04 17:06:00 mail fail2ban.actions[892]: NOTICE [postfix-pregreet-iredmail] 37.49.224.125 already banned
-------------------------------------------------------------------------------------------------------------------------------------------------

Thanks for your attention.

sincerely

Micha
====

2

Re: Firewall errors and fail2ban not working

Try to upgrade systemd and firewalld packages to the latest version, then try again. maybe upgrade kernel too.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Firewall errors and fail2ban not working

Hi,

thank you for your reply.

Already checked that and they are up to date.

Any other suggestions?

sincerely

M!cha

4

Re: Firewall errors and fail2ban not working

This should be fixed by restarting Fail2ban service. Did you try it?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5 (edited by m!cha 2019-03-22 01:32:37)

Re: Firewall errors and fail2ban not working

Yes, I tried it. It didn't change anything.

Do you want me to add some other/more logged data to this post?

sincerely

M!cha

6

Re: Firewall errors and fail2ban not working

No idea right now. It should just work after restarted. sad

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee