On 6/25/19 11:41 PM, MRob wrote: > When fail2ban block a IP address, established connections are allowed > to continue, but with no rule to accept established connections how is > that possible? It doesn't look like it would be. 1: Open a connection that will demonstrate the problem later. 2: Trigger a block from an address that you control. 3: Check the output of "iptables -L -v" to demonstrate that the address is blocked. 4: Use "tcpdump -nn -i any host <address>" to watch traffic from that address. 5: Send a command over the connection from step 1. tcpdump should show packets in both directions, and your session should be usable, according to the problem you described. 6: Check the output of "iptables -L -v" again and look at the counters on each rule to see which rule is being matched.