Fail2Ban for Domoticz fails behind reverse proxy
Posted: Thursday 08 August 2024 21:09
I hope someone has a similar setup and got this to work.
I spent quite some time searching the internet. I see many have this problem. I tried several hints, but I did not find the solution.
Situation 1 is working fine.
Internetport forwarded to --> Virtual machine (Ubuntu 22.04) with Domoticz and Fail2Ban installed.
Wrong login is recognized. Ban of the remote IP address is added to iptables.
Iptables blocks the next connection.
Also after the time set, the unban takes place. This shows the fail2ban configuration is correct for this situation.
Situation 2 is not working. (same fail2ban configuration)
Internetport forwarded to --> ReverseProxy on Synology --> Virtual machine (Ubuntu 22.-04) with Domoticz and Fail2Ban installed.
Wrong login is recognized. Ban of the remote IP address is added to iptables.
That is, it is in the same place in iptables, but now it does NOT blocks the next connection.
In both situations the IP address to block is added in iptables to the same chain.
This is the first called in the INPUT chain.
At the moment I am out of options and ideas and configured my forwarding to the working situation 1 without the proxy.
I spent quite some time searching the internet. I see many have this problem. I tried several hints, but I did not find the solution.
Situation 1 is working fine.
Internetport forwarded to --> Virtual machine (Ubuntu 22.04) with Domoticz and Fail2Ban installed.
Wrong login is recognized. Ban of the remote IP address is added to iptables.
Iptables blocks the next connection.
Also after the time set, the unban takes place. This shows the fail2ban configuration is correct for this situation.
Situation 2 is not working. (same fail2ban configuration)
Internetport forwarded to --> ReverseProxy on Synology --> Virtual machine (Ubuntu 22.-04) with Domoticz and Fail2Ban installed.
Wrong login is recognized. Ban of the remote IP address is added to iptables.
That is, it is in the same place in iptables, but now it does NOT blocks the next connection.
In both situations the IP address to block is added in iptables to the same chain.
Code: Select all
Chain f2b-domoticz (1 references)
target prot opt source destination
REJECT all -- IP-address-situation1 anywhere reject-with icmp-port-unreachable
REJECT all -- IP-address-situation2 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
At the moment I am out of options and ideas and configured my forwarding to the working situation 1 without the proxy.