diff --git a/README.md b/README.md
index 310a9b72..7bca7983 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,12 @@ The default `docker compose up -d` keeps using SQLite. To run with the bundled P
 docker compose --profile postgres up -d
 ```
 
+The image bundles Fail2ban (enabled by default) to enforce per-client **IP limits**. Fail2ban bans offenders with `iptables`, which requires the `NET_ADMIN` capability. `docker-compose.yml` already grants it via `cap_add`; if you start the container with `docker run` instead, add the capabilities yourself, otherwise bans are logged but never applied:
+
+```bash
+docker run -d --cap-add=NET_ADMIN --cap-add=NET_RAW ... ghcr.io/mhsanaei/3x-ui
+```
+
 ## A Special Thanks to
 
 - [alireza0](https://github.com/alireza0/)
diff --git a/docker-compose.yml b/docker-compose.yml
index ddb9493a..5593dfec 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,6 +5,13 @@ services:
       dockerfile: ./Dockerfile
     container_name: 3xui_app
     # hostname: yourhostname <- optional
+    # The bundled Fail2ban (XUI_ENABLE_FAIL2BAN below) enforces the IP limit
+    # with iptables, which needs NET_ADMIN. Without these caps a ban is logged
+    # and shown in fail2ban status but never actually applied. NET_RAW covers
+    # ip6tables. If you disable Fail2ban, you can drop cap_add.
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
     volumes:
       - $PWD/db/:/etc/x-ui/
       - $PWD/cert/:/root/cert/