From e274ee762fc103bc7472aa49c4b031948d361c4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20K=C3=A4fer?= <tobias@tkaefer.de>
Date: Thu, 3 Feb 2022 20:51:45 +0100
Subject: [PATCH] Update fail2ban faq doc

---
 docs/faq.rst                     | 29 +++++++++++++++++++++++++++++
 towncrier/newsfragments/2214.doc |  0
 2 files changed, 29 insertions(+)
 create mode 100644 towncrier/newsfragments/2214.doc

diff --git a/docs/faq.rst b/docs/faq.rst
index 3194ee36..c2cea7be 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -664,6 +664,8 @@ The above will block flagged IPs for a week, you can of course change it to you
 The above will block flagged IPs for a week, you can of course change it to you needs.
 
 7. Add the /etc/fail2ban/action.d/docker-action.conf
+  
+Option 1: Use plain iptables
 
 .. code-block:: bash
 
@@ -685,6 +687,33 @@ The above will block flagged IPs for a week, you can of course change it to you
 
 Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
 
+Option 2:  Use ipset together with iptables
+IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system.
+
+See ipset homepage for details on ipset, https://ipset.netfilter.org/.
+
+ipset and iptables provide one big advantage over just using iptables: This setup reduces the overall iptable rules.
+There is just one rule for the bad authentications and the IPs are within the ipset. 
+Specially in larger setups with a high amount of brute force attacks this comes in handy.
+Using iptables with ipset might reduce the system load in such attacks significantly.
+
+.. code-block:: bash
+
+  [Definition]
+
+  actionstart = actionstart = ipset --create f2b-bad-auth iphash
+                iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -m set --match-set f2b-bad-auth src -j DROP
+
+  actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -m set --match-set f2b-bad-auth src -j DROP
+               ipset --destroy f2b-bad-auth
+
+
+  actionban = ipset --test f2b-bad-auth <ip> ||  ipset --add f2b-bad-auth <ip>
+
+  actionunban = ipset --test f2b-bad-auth <ip> && ipset --del f2b-bad-auth <ip>
+
+Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
+
 8. Configure and restart the Fail2Ban service
 
 Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.
diff --git a/towncrier/newsfragments/2214.doc b/towncrier/newsfragments/2214.doc
new file mode 100644
index 00000000..e69de29b