Fail2ban uses iptables by default to block incoming connections when they exceed the max. login retries. The iptables rules used by fail2ban might conflict with the firewall rules, so it might be necessary to reconfigure fail2ban to use the route command for blocking incoming connections.
To reconfigure fail2ban for using the route command instead of iptables, edit or create the route.conf file:
And insert the following lines:
# Fail2Ban configuration file [Definition] actionban = ip route add unreachable <ip> actionunban = ip route del unreachable <ip>
Then add or change the ban action in the jail.local file in the [DEFAULT] section to "route":
And add or edit these lines:
# Fail2Ban configuration file [DEFAULT] banaction = route