fail2ban 无法阻止公共 IP,它仅适用于私有 IP

tag-icon tag-icon iptables apache2 fail2ban
fail2ban 无法阻止公共 IP,它仅适用于私有 IP

我的服务器位于反向代理 nginx 后面,但是客户端访问的 ip 在 apache 日志中显示如下,看起来很正常,日志中没有 x-forward 的内容。

103.221.234.206 - - [28/Feb/2024:14:37:29 +0800] "GET /styles/pke/?mejiku=zeus138 HTTP/1.1" 404 3888 "https://x.y.z.a/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Vivaldi/5.3.2679.68"
65.109.34.52 - - [28/Feb/2024:14:37:29 +0800] "GET /index.php/index/user/register HTTP/1.1" 200 9568 "https://x.y.z.a/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36"
103.221.234.206 - - [28/Feb/2024:14:37:31 +0800] "GET / HTTP/1.1" 200 8561 "https://x.y.z.a" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Vivaldi/5.3.2679.68"
194.32.229.95 - - [28/Feb/2024:14:37:32 +0800] "GET /index.php/index/user/register HTTP/1.1" 200 9487 "https://x.y.z.a/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36"

接下来.. 配置 fail2ban 很好,但 iptables 无法阻止来自 ip public 的 ip。我的 iptables 显示如下。它仅在禁止本地 ip 时有效。

Chain INPUT (policy DROP 22909 packets, 8800K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 691K   72M f2b-apache-noscript  tcp  --  any    any     anywhere             anywhere             multiport dports http,https
 690K   85M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
   76  4560 ACCEPT     all  --  lo     any     anywhere             anywhere            
    1    60 ACCEPT     icmp --  any    any     anywhere             anywhere            
    1    64 ACCEPT     tcp  --  any    any     10.0.0.0/8           anywhere             tcp dpt:ssh
  807 42768 ACCEPT     tcp  --  any    any     10.0.0.0/8           anywhere             tcp dpt:webmin
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
34019 2040K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 720K packets, 2306M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-apache-noscript (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     77.111.244.49        anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     103.151.140.101      anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     20.125.101.243       anywhere             reject-with icmp-port-unreachable

我的 iptables 无法跟上被阻止的特定 IP 的流量。

我应该怎么做才能使我的 fail2ban 正常工作,而无需改变服务器位于反向代理后面的网络拓扑。

网络拓扑结构

答案1

类似案例,并在这里完美解决:关联

相关内容