From cf5f37e409a090505755d460d8e75114aee1459d Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Mon, 15 Jun 2026 17:34:23 +0200 Subject: [PATCH] fix(iplimit): ban UDP as well as TCP in fail2ban action (#5350) The generated 3x-ipl fail2ban action only matched -p tcp, so UDP-based inbounds (Hysteria2, TUIC, WireGuard) from a banned IP kept working, bypassing IP-limit enforcement. Drop the protocol qualifier from the chain jump and ban both tcp and udp, keeping the SSH/panel port exemption. --- DockerEntrypoint.sh | 11 ++++++----- x-ui.sh | 15 ++++++++------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/DockerEntrypoint.sh b/DockerEntrypoint.sh index 9105f9653..79779a219 100644 --- a/DockerEntrypoint.sh +++ b/DockerEntrypoint.sh @@ -44,23 +44,24 @@ before = iptables-allports.conf [Definition] actionstart = -N f2b- -A f2b- -j - -I -p -j f2b- + -I -j f2b- -actionstop = -D -p -j f2b- +actionstop = -D -j f2b- -X f2b- actioncheck = -n -L | grep -q 'f2b-[ \t]' -actionban = -I f2b- 1 -s -p -m multiport ! --dports -j +actionban = -I f2b- 1 -s -p tcp -m multiport ! --dports -j + -I f2b- 1 -s -p udp -m multiport ! --dports -j echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") BAN [Email] = [IP] = banned for seconds." >> $LOG_FOLDER/3xipl-banned.log -actionunban = -D f2b- -s -p -m multiport ! --dports -j +actionunban = -D f2b- -s -p tcp -m multiport ! --dports -j + -D f2b- -s -p udp -m multiport ! --dports -j echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") UNBAN [Email] = [IP] = unbanned." >> $LOG_FOLDER/3xipl-banned.log [Init] name = default -protocol = tcp chain = INPUT exemptports = $EXEMPT_PORTS EOF diff --git a/x-ui.sh b/x-ui.sh index 1fe22008b..ee6fbbb99 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -2409,8 +2409,8 @@ EOF # Ports to exempt from the ban so an over-limit proxy client can never lock # the administrator out of SSH or the panel. The ban still covers every other - # TCP port (including all Xray inbounds), so IP-limit keeps working for inbounds - # added later without regenerating these files. + # TCP and UDP port (including all Xray inbounds, e.g. UDP-based Hysteria2), so + # IP-limit keeps working for inbounds added later without regenerating these files. local ssh_ports ssh_ports=$(grep -oP '^[[:space:]]*Port[[:space:]]+\K[0-9]+' /etc/ssh/sshd_config 2>/dev/null | paste -sd, -) [[ -z "${ssh_ports}" ]] && ssh_ports="22" @@ -2426,23 +2426,24 @@ before = iptables-allports.conf [Definition] actionstart = -N f2b- -A f2b- -j - -I -p -j f2b- + -I -j f2b- -actionstop = -D -p -j f2b- +actionstop = -D -j f2b- -X f2b- actioncheck = -n -L | grep -q 'f2b-[ \t]' -actionban = -I f2b- 1 -s -p -m multiport ! --dports -j +actionban = -I f2b- 1 -s -p tcp -m multiport ! --dports -j + -I f2b- 1 -s -p udp -m multiport ! --dports -j echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") BAN [Email] = [IP] = banned for seconds." >> ${iplimit_banned_log_path} -actionunban = -D f2b- -s -p -m multiport ! --dports -j +actionunban = -D f2b- -s -p tcp -m multiport ! --dports -j + -D f2b- -s -p udp -m multiport ! --dports -j echo "\$(date +"%%Y/%%m/%%d %%H:%%M:%%S") UNBAN [Email] = [IP] = unbanned." >> ${iplimit_banned_log_path} [Init] name = default -protocol = tcp chain = INPUT exemptports = ${exempt_ports} EOF