@dicko wrote:
Sometimes it's best to go to the horses mouth, as to how it does it's stuff
http://www.fail2ban.org/wiki/index.php/Main_Page
the chains it builds are dynamically updated in iptables as intrusions are detected, those rules are constrained to the fail2ban chains, the rest of iptables is untouched, the order iptables processes packets ARE without doubt done in the order that iptables -L lists them, if you have rules in place before fail2ban is started then they should be honored, if you add them after fail2bans chains are started then they might conflict The order is important.
So get your iptables based firewall working as you want THEN start fail2ban, if you have a "perfect" firewall then nothing will ever get to fail2ban as it appends it's chains to the extant ones, if you have used it to fully protect all your services then it can probably catch those clever bastards permitted by the "imperfect" firewall.