I recently added a fail2ban jail to filter out HTTP requests from clearly malicious users, and in the course of doing so I noticed that IPs that should have been banned did not show up in iptables rules.
I changed the configuration of fail2ban to use ufw instead of iptables, and upon restart the target IPs show up in ufw ban rules. (In the right place even — ufw rules are numbered so if you want to ALLOW ALL and then selectively REJECT, the REJECT rule must have a lower number than the ALLOW rule).
It makes sense to use Ubuntu’s default firewall, ufw, for MIAB, since MIAB is configured to run only on Ubuntu.
Is the current configuration (using iptables) a case of accepting the default setting, or was there a specific design decision there?
If the former, I would suggest making the change – and would happily add a PR.
@daveteu Yes, that is correct, but is there a specific reason why MIAB uses IPTables directly and not ufw?
UFW is the preferred means of manipulating IPtables on Ubuntu, just as firewalld is the preferred means for manipulating IPtables on Fedora/CentOS/RH.
I have had difficulty getting fail2ban to correctly administer bans using IPtables directly, especially when the service restarts. However in implementations that use ufw or firewalld, I have had less difficulty getting expected behavior.