Fail2Ban: bans not blocking traffic

Fix Fail2Ban bans that do not block traffic due to firewall backend mismatches or incorrect ban action configuration.

Fail2Ban: bans not blocking traffic
When Fail2Ban Produces This Error
What Causes Bans Not to Block Traffic in Fail2Ban
How to Fix Bans Not Blocking in Fail2Ban
How to Verify the Fix

Fail2Ban: bans not blocking traffic

Fail2Ban bans an IP address but the traffic is not blocked because the firewall backend does not match the system's active firewall.

When Fail2Ban Produces This Error

Fail2Ban reports a successful ban in fail2ban-client status sshd and in /var/log/fail2ban.log, but the banned IP can still connect. The ban action creates rules for the wrong firewall subsystem.

What Causes Bans Not to Block Traffic in Fail2Ban

Fail2Ban defaults to iptables-multiport for ban actions. On modern distributions (Debian 13+, Ubuntu 24.04+), the default firewall is nftables. iptables rules created by Fail2Ban are not processed by the nftables-based kernel firewall, so bans have no effect.

The same issue occurs when UFW is the active firewall but Fail2Ban is configured to use iptables.

How to Fix Bans Not Blocking in Fail2Ban

Check which firewall is active:

sudo nft list ruleset | head -5
sudo iptables -L | head -5
sudo ufw status

Set the matching banaction in /etc/fail2ban/jail.local:

[DEFAULT]
banaction = nftables-multiport
banaction_allports = nftables-allports

Restart Fail2Ban:
```
sudo systemctl restart fail2ban
```

How to Verify the Fix

Ban a test IP and confirm the firewall rule exists:

sudo fail2ban-client set sshd banip 203.0.113.99
sudo nft list ruleset | grep 203.0.113.99