fail2ban rule results in "iptables returned 200" error message

I did a quick google search and no answer seemed to help me, so I just tried the first thing that came into my mind:

I renamed the rule and made its name shorter:

[apache-suspicious]
enabled   = true
port      = http,https
filter    = apache-suspicious
banaction = iptables-allports
action    = %(action_mwl)s
logpath   = /var/log/apache2/error*.log
maxretry  = 3

(I renamed the rule from apache-suspiciousfiles to apache-suspicious)

That actually helped me. Now everything starts up just fine and my rule is working.

Also occurs if your configuration produces 'multiport' and 'all' together ('all' can be used to work around bots switching from tcp to udp, which fills logs with "WARNING: ... already banned").

$ sudo iptables -I INPUT -p all -m multiport --dports ssh -j fail2ban-ssh
iptables: multiport needs `-p tcp', `-p udp', `-p udplite', `-p sctp' or `-p dccp'

$ echo $?
2

$ cat fail2ban.log
iptables -I INPUT -p all -m multiport --dports ssh -j fail2ban-ssh returned 200

For me, a 200 was because the action.d rule sent to iptables couldn't be parsed.

My iptables action.d rule was as follows

[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
##comments and more actions removed for brevity
[Init]
name = default
#port = ssh
protocol = any

Note how my port variable was commented out! I do not know what iptables would have been fed, I am assuming it would be blank. Regardless of it's value, it's not going to be a known port that iptables could understand.

I had to edit my rule to remove the --dport bit, since I wasn't actually going to pass a port, and then it was ok to load without causing it to return 200.

I got the same error today:

2017-04-05 23:00:27,123 fail2ban.jail   [501]: WARNING Jail name 'wordpress-404-scanner' might be too long and some commands (e.g. iptables) might not function correctly. Please shorten

2017-04-05 23:00:27,455 fail2ban.actions.action[501]: ERROR   iptables -N fail2ban-wordpress-404-scanner
iptables -A fail2ban-wordpress-404-scanner -j RETURN
iptables -I INPUT -p tcp -j fail2ban-wordpress-404-scanner returned 200

It was quite clear to replace in /etc/fail2ban/jail.local:

action   = iptables-allports[name=wordpress-404-scanner]

with:

action   = iptables-allports[name=wordpress-404]

And now it works!

In my case, my rule name was short enough, but the 200 error persisted.

My mistake turned out to be from trying to ban multiple ports with an iptables[] action, which only works for a single port. Once I changed my action to use iptables-multiport[], the error ceased:

action = iptables[name=HTTPD, port="http,https", protocol=tcp]  # < bad
action = iptables-multiport[name=HTTPD, port="http,https", protocol=tcp] # < good

the error ceased.