关于在Synology NAS上设置iptables的fail2ban错误

我在Synology NAS上安装了fail2ban 0.9.1来处理失败的SSH尝试。 当我启动监狱时，我在fail2ban.log中得到以下错误：

2015-02-01 17:22:52,394 fail2ban.jail [30576]: INFO Jail 'ssh-iptables-syno' started 2015-02-01 17:22:53,287 fail2ban.actions [30576]: NOTICE [ssh-iptables-syno] Ban 103.41.124.52 2015-02-01 17:22:53,613 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 103.41.124.52 -j REJECT --reject-with icmp-port-unreachable -- stdout: '' 2015-02-01 17:22:53,625 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 103.41.124.52 -j REJECT --reject-with icmp-port-unreachable -- stderr: 'iptables v1.4.21: unknown option "--reject-with"\nTry `iptables -h\' or \'iptables --help\' for more information.\n' 2015-02-01 17:22:53,626 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 103.41.124.52 -j REJECT --reject-with icmp-port-unreachable -- returned 2 

另一个例子：

 2015-02-01 17:22:54,525 fail2ban.actions [30576]: NOTICE [ssh-iptables-syno] Ban 222.161.4.147 2015-02-01 17:22:54,855 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 222.161.4.147 -j REJECT --reject-with icmp-port-unreachable -- stdout: '' 2015-02-01 17:22:54,857 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 222.161.4.147 -j REJECT --reject-with icmp-port-unreachable -- stderr: 'iptables v1.4.21: unknown option "--reject-with"\nTry `iptables -h\' or \'iptables --help\' for more information.\n' 2015-02-01 17:22:54,858 fail2ban.action [30576]: ERROR iptables -I f2b-ssh-iptables-syno 1 -s 222.161.4.147 -j REJECT --reject-with icmp-port-unreachable -- returned 2 2015-02-01 17:22:54,860 fail2ban.actions [30576]: ERROR Failed to execute ban jail 'ssh-iptables-syno' action 'iptables-multiport' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x40dfe0b0>, 'matches': u'warning\t2015/02/01 17:14:04\tSYSTEM:\tUser [root] from [222.161.4.147] failed to log in via [SSH] due to authorization failure.\nwarning\t2015/02/01 17:14:06\tSYSTEM:\tUser [root] from [222.161.4.147] failed to log in via [SSH] due to authorization failure.\nwarning\t2015/02/01 17:14:09\tSYSTEM:\tUser [root] from [222.161.4.147] failed to log in via [SSH] due to authorization failure.', 'ip': '222.161.4.147', 'ipmatches': <function <lambda> at 0x40dfe0f0>, 'ipfailures': <function <lambda> at 0x40dfe030>, 'time': 1422807774.52478, 'failures': 3, 'ipjailfailures': <function <lambda> at 0x40dfe070>})': Error banning 222.161.4.147 

– >完整日志摘录： http ： //pastebin.com/TvTG3c7W

当我尝试直接执行iptables命令，就像我得到以下错误：

• fail2ban BANTIME不适用于SASL
• 为什么不是fail2ban阻塞失败？
• 在Apache中阻止黑客攻击的工具
• Fail2Ban不会阻止对鸽子的暴力攻击
• fail2ban拒绝蛮力垃圾邮件机器人

 # iptables -I f2b-ssh-iptables-syno 1 -s 222.161.4.147 -j REJECT --reject-with icmp-port-unreachable iptables v1.4.21: unknown option "--reject-with" 

我有另一台机器（12.04）与iptables 1.4.21和fail2ban 0.9.1一切工作完美无瑕。 这是两台机器的一些iptables信息：

坏机器：

 # iptables --version iptables v1.4.21 # cat /proc/net/ip_tables_targets LOG ERROR # cat /proc/net/ip_tables_matches limit state udplite udp tcp multiport multiport icmp 

好机器：

 # iptables --version iptables v1.4.21 # cat /proc/net/ip_tables_targets AUDIT NFLOG NFQUEUE NFQUEUE NFQUEUE CLASSIFY CONNMARK CONNMARK MARK MARK MARK ULOG TPROXY TPROXY MASQUERADE REDIRECT TOS TOS DSCP LOG TCPMSS DNAT SNAT REJECT ERROR # cat /proc/net/ip_tables_matches statistic time connlimit realm pkttype connmark connmark physdev string string owner comment conntrack conntrack conntrack helper limit hashlimit hashlimit iprange iprange policy owner addrtype addrtype recent state length ttl tcpmss multiport multiport tos tos dscp icmp udplite udp tcp 

任何想法如何处理这个错误？

更新感谢@ricardo，我发现我的Synology（DSM 5）上的iptables缺lessREJECT目标。 不知道如何添加它。

 # cat /proc/net/ip_tables_matches state icmp recent multiport multiport udplite udp tcp 

 # cat /proc/net/ip_tables_targets REJECT MASQUERADE DNAT SNAT ERROR 

 # echo "blocktype = DROP" > /etc/fail2ban/action.d/iptables-blocktype.local # fail2ban-client reload