Modern distros (Debian 11+, Ubuntu 22.04+, RHEL/Fedora) use nftables, not legacy iptables. Fail2ban ships native nftables actions — use them to avoid the iptables-nft translation layer.

1. Set the nftables banaction globally

In /etc/fail2ban/jail.local:

[DEFAULT]
banaction         = nftables-multiport
banaction_allports = nftables-allports

nftables-multiport — bans only the jail’s ports (good default).
nftables-allports — bans the IP on every port (used by jails like recidive).

2. Reload

sudo fail2ban-client reload

3. Verify the ban table

Fail2ban creates its own nftables table. After at least one ban, check it:

sudo nft list table inet f2b-table

You’ll see a set named addr-set-<jail> holding the banned addresses.

4. Requirements

Make sure the nftables tooling is installed:

sudo apt install nftables    # Debian/Ubuntu

Don’t mix backends. If you previously used iptables-multiport, switching to nftables is clean on a reload, but avoid running both firewall stacks with conflicting rules.

IPv6: the nftables-* actions handle IPv4 and IPv6 in one table, so a single banaction covers both — no separate *-ipv6 action needed like with older iptables setups.

How to Switch Fail2ban to nftables (banaction)

1. Set the nftables banaction globally

2. Reload

3. Verify the ban table

4. Requirements