Nginx Proxy Manager, Fail2Ban, and Jellyfin

[TheDreadPirate]

I believe this stack exchange post explains it.

https://unix.stackexchange.com/questions...urn-target

Packets traverse a chain until they hit ACCEPT, DROP, REJECT, or RETURN. They do not stop on a match unless that match contains a terminating action. In your example, a packet matching the first rule will be marked, but will then be examined (and possibly processed) by the second rule.

Purely for reference, here are the relevant sections from the man page:

A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP [, REJECT], QUEUE or RETURN.

ACCEPT means to let the packet through.
DROP means to drop the packet on the floor, i.e. to discard it and not send any response
[REJECT is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal.]
QUEUE means to pass the packet to userspace.
RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
In response to your specific concern, I would say that your guide is misleading. Unless "associated action" is one of the five terminal actions, packets will continue to flow through the chain until they reach an implicit RETURN at the end.