Fail2ban extension hangs: iptables: Too many links.\n

Created:

2016-12-18 06:43:53 UTC

Modified:

2017-08-08 13:44:32 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Fail2ban extension hangs: iptables: Too many links.\n

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

Symptoms

Disabling Plesk Firewall in Tools and Settings > Firewall deletes Fail2Ban chains in iptables. Iptables gets empty.

Fail2Ban error log file /var/log/fail2ban.log contains the following errors:

2017-01-09 10:13:16,967 fail2ban.action         [13400]: ERROR   iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-plesk-wordpress
iptables -F f2b-plesk-wordpress
iptables -X f2b-plesk-wordpress -- stderr: 'iptables: Too many links.\n'
2017-01-09 10:13:16,968 fail2ban.action         [13400]: ERROR   iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-plesk-wordpress
iptables -F f2b-plesk-wordpress
iptables -X f2b-plesk-wordpress -- returned 1
2017-01-09 10:13:16,968 fail2ban.actions        [13400]: ERROR   Failed to stop jail 'plesk-wordpress-j' action 'iptables-multiport': Error stopping action
2017-01-09 10:13:16,969 fail2ban.jail           [13400]: INFO    Jail 'plesk-wordpress-j' stopped
2017-01-09 10:13:17,420 fail2ban.action         [13400]: ERROR   iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-plesk-wordpress
iptables -F f2b-plesk-wordpress
iptables -X f2b-plesk-wordpress -- stdout: ''
2017-01-09 10:13:17,420 fail2ban.action         [13400]: ERROR   iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-plesk-wordpress
iptables -F f2b-plesk-wordpress
iptables -X f2b-plesk-wordpress -- stderr: 'iptables: Too many links.\n'

Iptables rules are empty despite the fact that fail2ban service is running on the server:

# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

When fail2ban is restarted, iptables chains get updated to correct ones and errors stop being logged to fail2ban.log

Cause

This is an internal issue with ID #PPPM-5090 , which is planned to be fixed in future product updates.

Resolution

The following workaround disables Plesk Firewall having saved the existing Iptables rules:

1. Temporary disable Fail2Ban at Tools & Settings > Services Management > IP Address Banning (Fail2ban)

2. Enable Plesk Firewall in Tools & Settings > Firewall > Enable Firewall Rules Management

3. Using SSH, save iptables configuration:

# iptables-save > /root/iptables-settings.conf

4. Disable Plesk Firewall in Tools & Settings > Firewall > Enable Firewall Rules Management
5. Restore iptables rules from file:

# iptables-restore < /root/iptables-settings.conf

6. Enable Fail2Ban back at Tools & Settings > Services Management > IP Address Banning (Fail2ban)
7. Modify /etc/rc.d/rc.local script , so iptables rules will be applied at boot time:

# echo "iptables-restore < /root/iptables-restore.conf" >> /etc/rc.d/rc.local

Additional information

Unable to stop Fail2Ban jail: iptables: Too many links

Have more questions? Submit a request
Please sign in to leave a comment.