2025-07-11 A separate allow-list to bypass fail2ban =================================================== I automatically ban autonomous systems that host bots abusing my server. That's a pretty broad ban-hammer! I might OVH Hosting, for example. That is, the autonomous system number 16276 responsible for 139.99.128.0/17. Somewhere in this network, however, there are servers that I do not want to ban, like the fedi instance Cathode Church at 139.99.194.127. What to do? I decided to create an allow-list and use it firewall rules before fail2ban gets to run. Let's hope that it works. Of course, a list for IPv4 and a list for IPv6 is required. ipset create allowlist hash:ip ipset create allowlist6 hash:ip family inet6 iptables -I INPUT -m set --match-set allowlist src -j ACCEPT ip6tables -I INPUT -m set --match-set allowlist6 src -j ACCEPT ipset add allowlist 139.99.194.127 # cathode.church ipset add allowlist6 2402:1f00:8100:400::16d9 # cathode.church netfilter-persistent save The result is the following, with ACCEPT being controlled by allowlist coming before the fail2ban rules: # iptables --list INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere match-set allowlist src f2b-butlerian-jihad-week tcp -- anywhere anywhere multiport dports 0:65535 f2b-butlerian-jihad tcp -- anywhere anywhere multiport dports 0:65535 f2b-alex-bots tcp -- anywhere anywhere multiport dports http,https f2b-alex-apache tcp -- anywhere anywhere multiport dports http,https f2b-recidive tcp -- anywhere anywhere DROP all -- anywhere anywhere match-set banlist src If you're wondering about DROP being controlled by banlist: That's the inverse of the allow-list, for permanent bans. The setup is similar: # hash:net because of CIDR ipset create banlist hash:net ipset create banlist6 hash:net family inet6 iptables -I INPUT -m set --match-set banlist src -j DROP ip6tables -I INPUT -m set --match-set banlist6 src -j DROP netfilter-persistent save Currently the ban-list is empty. I used the ban-list for ban-cidr before switching to the dynamic fail2ban setup. Anyway, all this to say: If you're banned from one of my sites and you have a static IP number, contact me via email and I can put it on the allow-list. #Administration #Butlerian_Jihad #iptables #ipset 2025-07-27. If one day the allow-list seems to have no effect, take a look: iptables --list INPUT Perhaps fail2ban inserted all its rules at the top? Determine the current place of the allow-list. Verify that you have the correct number and delete it. Then re-insert the rule at the beginning. # iptables --list INPUT 6 ACCEPT all -- anywhere anywhere match-set allowlist src # iptables --delete INPUT 6 # iptables -I INPUT -m set --match-set allowlist src -j ACCEPT # iptables --list INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere match-set allowlist src f2b-alex-apache tcp -- anywhere anywhere multiport dports http,https f2b-butlerian-jihad tcp -- anywhere anywhere multiport dports 0:65535 f2b-butlerian-jihad-week tcp -- anywhere anywhere multiport dports 0:65535 f2b-alex-bots tcp -- anywhere anywhere multiport dports http,https f2b-recidive tcp -- anywhere anywhere DROP all -- anywhere anywhere match-set banlist src