While using iptables-1.4.11.1-r2, fail2ban gets errors while adding chains. This is the rexpected result with iptables-1.4.10-r1: Firewall-rules: Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 fail2ban-SASL tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465 2 0 0 fail2ban-COURIER tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 143,993,110,995 3 21 1428 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 4 0 0 fail2ban-APACHE tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,8080,8081 With iptables-1.4.11.1-r2 some lines are always missing and fail2ban.log reads: 2011-08-12 15:04:39,687 fail2ban.actions.action: ERROR iptables -N fail2ban-SSH iptables -A fail2ban-SSH -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 400 2011-08-12 15:04:39,754 fail2ban.actions.action: ERROR iptables -N fail2ban-COURIER iptables -A fail2ban-COURIER -j RETURN iptables -I INPUT -p tcp -m multiport --dports imap,imaps,pop3,pop3s -j fail2ban-COURIER returned 200 2011-08-12 15:23:58,410 fail2ban.jail : INFO Jail 'ssh-iptables' stopped 2011-08-12 15:23:59,441 fail2ban.jail : INFO Jail 'apache-auth' stopped 2011-08-12 15:24:00,426 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports imap,imaps,pop3,pop3s -j fail2ban-COURIER iptables -F fail2ban-COURIER iptables -X fail2ban-COURIER returned 100 I am not sure what's wrong, but I don't trust iptables-1.4.11.1-r2 anymore, see: https://bugs.gentoo.org/show_bug.cgi?id=378867 https://bugs.gentoo.org/show_bug.cgi?id=378883
you really should try the latest versions of packages. like iptables 1.4.12.
Is it possible to add some debugging output to see what errors actually are there? Or... could you try iptables-1.4.12.1 so I could fast stabilize it to fix this error?
Ok I hope this bug is fixed. Any way we need some information to work with.
This bug isn't fixed in iptables-1.4.12.1. I tested it and there are still some lines missing.
2011-09-14 14:40:48,498 fail2ban.jail : INFO Jail 'courier-iptables' stopped 2011-09-14 14:40:49,518 fail2ban.jail : INFO Jail 'sasl-iptables' stopped 2011-09-14 14:40:49,530 fail2ban.server : INFO Exiting Fail2ban 2011-09-14 14:41:07,875 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 2011-09-14 14:41:07,879 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2011-09-14 14:41:07,884 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin 2011-09-14 14:41:07,994 fail2ban.filter : INFO Added logfile = /var/log/secure.log 2011-09-14 14:41:07,999 fail2ban.filter : INFO Set maxRetry = 3 2011-09-14 14:41:08,014 fail2ban.filter : INFO Set findtime = 600 2011-09-14 14:41:08,018 fail2ban.actions: INFO Set banTime = 3600 2011-09-14 14:41:08,352 fail2ban.jail : INFO Creating new jail 'apache-auth' 2011-09-14 14:41:08,354 fail2ban.jail : INFO Jail 'apache-auth' uses Gamin 2011-09-14 14:41:08,363 fail2ban.filter : INFO Added logfile = /var/log/apache2/ssl_error_log 2011-09-14 14:41:08,369 fail2ban.filter : INFO Added logfile = /var/log/apache2/error_log 2011-09-14 14:41:08,373 fail2ban.filter : INFO Set maxRetry = 3 2011-09-14 14:41:08,388 fail2ban.filter : INFO Set findtime = 600 2011-09-14 14:41:08,393 fail2ban.actions: INFO Set banTime = 3600 2011-09-14 14:41:08,501 fail2ban.jail : INFO Creating new jail 'sasl-iptables' 2011-09-14 14:41:08,503 fail2ban.jail : INFO Jail 'sasl-iptables' uses Gamin 2011-09-14 14:41:08,511 fail2ban.filter : INFO Added logfile = /var/log/mail/mail.log 2011-09-14 14:41:08,516 fail2ban.filter : INFO Set maxRetry = 3 2011-09-14 14:41:08,531 fail2ban.filter : INFO Set findtime = 600 2011-09-14 14:41:08,536 fail2ban.actions: INFO Set banTime = 3600 2011-09-14 14:41:08,616 fail2ban.jail : INFO Creating new jail 'courier-iptables' 2011-09-14 14:41:08,620 fail2ban.jail : INFO Jail 'courier-iptables' uses Gamin 2011-09-14 14:41:08,628 fail2ban.filter : INFO Added logfile = /var/log/mail/mail.log 2011-09-14 14:41:08,633 fail2ban.filter : INFO Set maxRetry = 3 2011-09-14 14:41:08,648 fail2ban.filter : INFO Set findtime = 600 2011-09-14 14:41:08,653 fail2ban.actions: INFO Set banTime = 3600 2011-09-14 14:41:08,732 fail2ban.jail : INFO Jail 'ssh-iptables' started 2011-09-14 14:41:08,751 fail2ban.jail : INFO Jail 'apache-auth' started 2011-09-14 14:41:08,777 fail2ban.jail : INFO Jail 'sasl-iptables' started 2011-09-14 14:41:08,809 fail2ban.jail : INFO Jail 'courier-iptables' started 2011-09-14 14:41:08,993 fail2ban.actions.action: ERROR iptables -N fail2ban-SSH iptables -A fail2ban-SSH -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 400
I found a solution: http://www.fail2ban.org/wiki/index.php/Fail2ban_talk:Community_Portal#fail2ban.actions.action_ERROR_on_startup.2Frestart
Created attachment 286429 [details, diff] fail2ban-0.8.4-iptables_race_condition.patch
Created attachment 286431 [details, diff] ebuild to include patch in previous attachment
@pva: pls assign to fail2ban herd
Uh, fixing race conditions with sleep is really horrible idea :)
Yes sleep is not a proper solution to this problem so this patch wont be applied to fail2ban package
Could someone please try the $URL and see if this race condition is reproducible?
This should be fixed in 0.8.6