The below configuration is needed for fail2ban to use nftables instead of iptables.
For my purposes I only use fail2ban for blocking brute force attacks to SSH; other configuration may be needed for other services.
A table for fail2ban needs to be added to nftables. An ip table is used to support both IPv4 and IPv6.
mkdir /etc/nftables
cat << EOF > /etc/nftables/fail2ban.conf
#!/usr/sbin/nft -f
# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
chain input {
type filter hook input priority 100;
}
}
EOF
The priority for the table is set high to reject connections before other rules are evaluated.
In the main nftables configuration file (eg. /etc/nftables.conf) the above table configuration needs to be included. I add the following configuration just after flushing the existing rules:
# Add fail2ban rules
include "/etc/nftables/fail2ban.conf"
There are multiple areas that need to be configured for fail2ban to work with nftables.
The jail configuration needs to be updated to set the banaction to nftables-multiport. Optionally you can fill out other relevant configuration if needed.
cat << EOF > /etc/fail2ban/jail.local
[DEFAULT]
## Destination email for action that send you an email
#destemail = fail2ban@mydomain.example
#
## Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
#sender = fail2ban@mydomain.example
#
## Default action. Will block user and send you an email with whois content and log lines.
#action = %(action_mwl)s
# configure nftables
banaction = nftables-multiport
chain = input
EOF
An action needs to be added for nftables:
cat << EOF > /etc/fail2ban/action.d/nftables-common.local
[Init]
# Definition of the table used
nftables_family = ip
nftables_table = fail2ban
# Drop packets
blocktype = drop
# Remove nftables prefix. Set names are limited to 15 char so we want them all
nftables_set_prefix =
EOF
By default, Debian fail2ban is pre-configured for SSH so I do not need to add or modify any filters. You may need to for your environment, that is out of scope for this document.
Add a dependency to nftables on the fail2ban service so if the firewall is flushed/restarted the fail2ban rules will automatically be added back:
mkdir /etc/systemd/system/fail2ban.service.d
cat << EOF > /etc/systemd/system/fail2ban.service.d/override.conf
[Unit]
Requires=nftables.service
PartOf=nftables.service
[Install]
WantedBy=multi-user.target nftables.service
EOF
systemctl daemon-reload