fail2ban on server with LXC Containers

Question

The issue is modprobe and iptables don't work inside an LXC Container.

LXC is the userspace control package for Linux Containers, a lightweight virtual system mechanism sometimes described as “chroot on steroids”.

iptables error inside the container is:

# iptables -I INPUT -s 122.129.126.194 -j DROP
> iptables v1.4.8: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I am guessing that it can't work because the LXC containers share one kernel, the main server kernel.

How do I do fail2ban in this case. modprobe and iptables work in the main server so I could install it there and link to the logfiles somehow, my guess?

Any suggestions?

Have you loaded the Iptables modules? It can be that you need to do this manually. — Lucas Kauffman, Jun 12 '12 at 22:57
As long as modprobe doesn't work there is no point of trouble shooting iptables or fail2ban. The real question is, is it even safe to do modeprobe from chroot? — RoboTamer, Jun 12 '12 at 23:14
It ought to work. I'd try manually loading the modules on the host. http://blog.bodhizazen.net/linux/lxc-configure-ubuntu-lucid-containers/ says just copy the modules into the container filesystem. — DerfK, Jun 13 '12 at 01:48

score 3 · Accepted Answer · answered Jun 29 '12 at 16:25

3

Maybe tcp wrappers works for you. fail2ban can manage /etc/hosts.allow and /etc/hosts.deny files

answered Jun 29 '12 at 16:25

Iñigo Montoya

46
1

Right, iptables don't work, still don't get the 5 bans – RoboTamer Jul 31 '12 at 23:13

score 0 · Answer 2 · answered Sep 02 '19 at 07:09

I believe you'll have to run fail2ban on the container host machine (not in the container itself). Now if you have a service running in one of the containers, what you do is configure fail2ban to look for the log file within the filesystem of the container, since the host can see the container's filesystem. For example, I have a container named mediabox. This is an LXD managed container, and I have used the snap package to install LXD. So I would point fail2ban to the log file using a path like /var/snap/lxd/common/lxd/containers/mediabox/rootfs/var/log/... If you didn't use the snap package, then your paths might vary a bit. You get the idea how this works? Fail2ban watches log files. So you can have it run on the host, watch a container's log file, and do the "banning" using iptables on the host (since you can't do it in the container anyway). I hope this helps.

fail2ban on server with LXC Containers

2 Answers2