diff --git a/services/fail2ban.nix b/services/fail2ban.nix
index 20551c16..b24e6942 100644
--- a/services/fail2ban.nix
+++ b/services/fail2ban.nix
@@ -3,23 +3,27 @@
 {
   services.fail2ban = {
     enable = true;
+    packageFirewall = pkgs.nftables;
+    banaction="nftables-multiport";
+    banaction-allports = "nftables-allports";
     jails = {
-      DEFAULT = ''
-        bantime  = 1d
+      default = ''
+        bantime  = 7d
         blocktype = DROP
-        logpath  = /var/log/auth.log
+        action = nftables-allports
+        logpath = /var/log/auth.log
       '';
       ssh = ''
         enabled = true
         filter = sshd
         maxretry = 4
-        action = iptables[name=SSH, port=ssh, protocol=tcp]
+        action = nftables-multiport[name=SSH, port=ssh, protocol=tcp]
       '';
       sshd-ddos = ''
         enabled  = true
         filter = sshd-ddos
         maxretry = 4
-        action   = iptables[name=ssh, port=ssh, protocol=tcp]
+        action   = nftables-multiport[name=ssh, port=ssh, protocol=tcp]
       '';
     };
   };
diff --git a/services/mail.nix b/services/mail.nix
index 568f66ae..ac0e7312 100644
--- a/services/mail.nix
+++ b/services/mail.nix
@@ -10,20 +10,20 @@ with lib;
       enabled  = true
       filter   = postfix
       maxretry = 3
-      action   = iptables[name=postfix, port=smtp, protocol=tcp]
+      action   = nftables-multiport[name=postfix, port=smtp, protocol=tcp]
     '';
     postfix-sasl = ''
       enabled  = true
       filter   = postfix-sasl
       port     = postfix,imap3,imaps,pop3,pop3s
       maxretry = 3
-      action   = iptables[name=postfix, port=smtp, protocol=tcp]
+      action   = nftables-multiport[name=postfix, port=smtp, protocol=tcp]
     '';
     postfix-ddos = ''
       enabled  = true
       filter   = postfix-ddos
       maxretry = 3
-      action   = iptables[name=postfix, port=submission, protocol=tcp]
+      action   = nftables-multiport[name=postfix, port=submission, protocol=tcp]
       bantime  = 7200
     '';
   };