I am working to a CentOS 6 server with nonstandard iptables system without rule for ACCEPT ESTABLISHED connections. All tables and chains empty (flush by legacy custom script) so only filter/INPUT chain has rules (also fail2ban chain): Chain INPUT (policy ACCEPT) target prot opt source destination f2b-postfix tcp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 192.168.0.0/16 0.0.0.0/0 ACCEPT all -- 127.0.0.0/8 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 Chain f2b-postfix (1 references) target prot opt source destination REJECT all -- 200.23.235.30 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 177.11.167.57 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0 When fail2ban block a IP address, established connections are allowed to continue, but with no rule to accept established connections how is that possible? Why doesn't f2b first rule block established connections?