2025-07-11 A separate allow-list to bypass fail2ban

I automatically ban autonomous systems that host bots abusing my server. That's a pretty broad ban-hammer! I might OVH Hosting, for example. That is, the autonomous system number 16276 responsible for `139.99.128.0/17`. Somewhere in this network, however, there are servers that I do not want to ban, like the fedi instance Cathode Church at `139.99.194.127`. What to do?

ban autonomous systems

Cathode Church

I decided to create an allow-list and use it firewall rules before `fail2ban` gets to run. Let's hope that it works.

Of course, a list for IPv4 and a list for IPv6 is required.

ipset create allowlist hash:ip
ipset create allowlist6 hash:ip family inet6
iptables -I INPUT -m set --match-set allowlist src -j ACCEPT
ip6tables -I INPUT -m set --match-set allowlist6 src -j ACCEPT
ipset add allowlist 139.99.194.127 # cathode.church
ipset add allowlist6 2402:1f00:8100:400::16d9 # cathode.church
netfilter-persistent save

The result is the following, with `ACCEPT` being controlled by `allowlist` coming before the `fail2ban` rules:

# iptables --list INPUT
Chain INPUT (policy ACCEPT)
target                    prot opt source   destination         
ACCEPT                    all  --  anywhere anywhere match-set allowlist src
f2b-butlerian-jihad-week  tcp  --  anywhere anywhere multiport dports 0:65535
f2b-butlerian-jihad       tcp  --  anywhere anywhere multiport dports 0:65535
f2b-alex-bots             tcp  --  anywhere anywhere multiport dports http,https
f2b-alex-apache           tcp  --  anywhere anywhere multiport dports http,https
f2b-recidive              tcp  --  anywhere anywhere            
DROP                      all  --  anywhere anywhere match-set banlist src

If you're wondering about `DROP` being controlled by `banlist`: That's the inverse of the allow-list, for permanent bans. The setup is similar:

# hash:net because of CIDR
ipset create banlist hash:net
ipset create banlist6 hash:net family inet6
iptables -I INPUT -m set --match-set banlist src -j DROP
ip6tables -I INPUT -m set --match-set banlist6 src -j DROP
netfilter-persistent save

Currently the ban-list is empty.

I used the ban-list for ban-cidr before switching to the dynamic `fail2ban` setup.

ban-cidr

Anyway, all this to say: If you're banned from one of my sites and you have a static IP number, contact me via email and I can put it on the allow-list.

#Administration #Butlerian Jihad #iptables #ipset

**2025-07-27**. If one day the allow-list seems to have no effect, take a look:

iptables --list INPUT

Perhaps `fail2ban` inserted all its rules at the top? Determine the current place of the allow-list. Verify that you have the correct number and delete it. Then re-insert the rule at the beginning.

# iptables --list INPUT 6
ACCEPT     all  --  anywhere             anywhere             match-set allowlist src
# iptables --delete INPUT 6
# iptables -I INPUT -m set --match-set allowlist src -j ACCEPT
# iptables --list INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             match-set allowlist src
f2b-alex-apache  tcp  --  anywhere             anywhere             multiport dports http,https
f2b-butlerian-jihad  tcp  --  anywhere             anywhere             multiport dports 0:65535
f2b-butlerian-jihad-week  tcp  --  anywhere             anywhere             multiport dports 0:65535
f2b-alex-bots  tcp  --  anywhere             anywhere             multiport dports http,https
f2b-recidive  tcp  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             match-set banlist src

**2025-12-24**. And of course now I had to replace it all with `nft` stuff. 😭