Fail2ban container error "iptables: No chain/target/match by that name."

LSIO Discussion Container Support
1

I recently started using the LSIO fail2ban container and set up a jail for failures connecting to my LSIO openssh-server container, but when fail2ban tries to execute the script to block IPs I get an error like so:

 2023-03-29 16:40:14,776 7FF1A26E8B38 ERROR 7ff1a352d890 -- exec: { iptables -w -C f2b-openssh-server -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-openssh-server || true; iptables -w -A f2b-openssh-server -j RETURN; }
 2023-03-29 16:40:14,776 7FF1A26E8B38 ERROR 7ff1a352d890 -- stderr: 'iptables: No chain/target/match by that name.'
 2023-03-29 16:40:14,776 7FF1A26E8B38 ERROR 7ff1a352d890 -- returned 1
 2023-03-29 16:40:14,776 7FF1A26E8B38 ERROR Failed to execute ban jail 'openssh-server' action 'iptables-multiport' info 'ActionInfo({'ip': '167.71.38.232', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7ff1a3ec09d0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7ff1a3ec1090>})': Error starting action Jail('openssh-server')/iptables-multiport: 'Script error'

If I run the first command listed with exec manually when logged into the container as root it succeeds though:

root@fail2ban:/# { iptables -w -C f2b-openssh-server -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-openssh-server || true; iptables -w -A f2b-openssh-server -j RETURN; }
root@fail2ban:/#

Then on the host:

❯ sudo iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-openssh-server
-A f2b-openssh-server -j RETURN

The relevant part of my docker-compose.yml:

  fail2ban:
    cap_add:
    - NET_ADMIN
    - NET_RAW
    container_name: fail2ban
    environment:
      PGID: "1000"
      PUID: "1000"
      TZ: US/Eastern
    image: lscr.io/linuxserver/fail2ban
    logging:
      driver: json-file
      options:
        max-file: "10"
        max-size: 200k
    network_mode: host
    restart: unless-stopped
    volumes:
    - type: bind
      source: /etc/localtime
      target: /etc/localtime
      read_only: true
      bind:
        create_host_path: true
    - type: bind
      source: /var/log
      target: /var/log
      read_only: true
      bind:
        create_host_path: true
    - type: bind
      source: /home/trolley/.config/appdata/fail2ban
      target: /config
      bind:
        create_host_path: true

Note: There is no tag for fail2ban and I’m forced to pick one, so I picked swag since it includes fail2ban as well.