Crowdsec FW bouncer with nftables configured but I think It's not working

crowdsec
1

Hello everyone

I have a caddy + Coraza + Crowdsec with docker compose working fine and reporting to the console.

My OS is raspian which is based on Debian 12 (bookworm)

I have decided to add the FW bouncer so that the IPs are blocked in the system FW, which is an nftables.

I have installed the nftables version on the OS directly and connected it to crowdsec.
When I force a block on Coraza, the Crowdsec integration parses the log, detects it and blocks it.
I see that the blocked IP is added to the blacklist of the FW bouncer but I don’t see anything in the kern.log and that makes me suspect that something is not working well because I do see all the UFW entries.

I’ll give you my configuration, the doubts I’ve had and the logs to see if you can tell me the error or confirm that it is working well.

Do you think so?

Host information

image

image
image595×400 23.7 KB

Logs and cscli commands

Bouncer list

image
image942×242 7.57 KB

When I force a Coraza Block and when I manully add a ban:

Note: I’m behind Cloudflare tunnel and I see in caddy.log the access from the same IP (172.18.0.1).
Usually I have 172.18.0.0/12 in the whitelist but I remove it to test.

crowdsec.log

image
image1230×139 17.4 KB

crowdsec-firewall-bouncer.log

image

decision list

image

nft list table crowdsec

image
image606×165 4.51 KB

kern.log => Nothing

image
image1243×170 18 KB

According to what I have read in forums, you should see posts like these

image
image738×105 48.6 KB

Journalctl => also nothing

image
image1239×112 16.8 KB

In both cases I see the decisions in the decision list and the app.crowdsec console is informed.

Configuration files

mode: nftables
update_frequency: 10s
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: http://localhost:8080/
api_key:XXXXX
## TLS Authentication
# cert_path: /etc/crowdsec/tls/cert.pem
# key_path: /etc/crowdsec/tls/key.pem
# ca_cert_path: /etc/crowdsec/tls/ca.crt
insecure_skip_verify: false
disable_ipv6: true
deny_action: DROP
deny_log: true
supported_decisions_types:
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
#type of ipset to use
ipset_type: nethash
#if present, insert rule in those chains
iptables_chains:
  - INPUT
#  - FORWARD
  - DOCKER-USER
iptables_add_rule_comments: true

## nftables
nftables:
  ipv4:
    enabled: true
    set-only: false
    table: crowdsec
    chain: crowdsec-chain
    priority: -10
  ipv6:
    enabled: true
    set-only: false
    table: crowdsec6
    chain: crowdsec6-chain
    priority: -10

nftables_hooks:
  - input
#  - forward
  - docker-user

# packet filter
pf:
  # an empty string disables the anchor
  anchor_name: ""

prometheus:
  enabled: false
  listen_addr: 127.0.0.1
  listen_port: 60601

Regarding this configuration, I have not found documentation.

They came in the file after installation and what I did was adapt it to the IP tables, which are documented.
I added docker-user because I read that if you have crowdsec in docker you have to do it.
I have many doubts about this because in addition the CHAINs in iptables are uppercase and here it was filled in lowercase and I don’t know if I have to change it.

nftables_hooks:
  - input
#  - forward
  - docker-user

The same with the priority parameter that were already configured at -10 in the original file.

startup log

image
image1247×183 7.76 KB

Summing up.

I don’t know if the FW bouncer configuration for nftables_hook is correct and I also don’t know if it is communicating well with crowdsec and nftables because I don’t see anything being written in the kern.log.

On the other hand.
is there any way to log the source IP instead the FW bouncer IP (172.18.0.1)?

I hope I have explained myself well.
If you need more information I am fully available.

thank you very much in advance.

2

Hi again

I just wanna add more information because I have not made progress.

Note: What is under the red bar that I put is a real IP

This is my crowdsec console and as you can see there are somediation components inactives but sincerly I don’t know why there is 2 remediation for caddy and 2 for firewall.

image
image1388×540 52.4 KB

The fact is that the console is reported when I make a test so I assume that everything is working and they are inactive because they have nothing to do because there are no attacks but but I’m really not sure.

image
image1109×622 77.8 KB

This is the bouncer list

image
image942×242 7.57 KB

I saw one time the crowdsec entry in the kern.log

image
image680×102 99.6 KB

Probably is this one

image
image877×379 22 KB

More info about the bouncers

raspi@raspberrypi3:~/docker/caddy $ sudo docker compose -f /home/raspi/docker/caddy/docker-compose.yml exec -t crowdsec cscli bouncers inspect CADDY
───────────────────────────────────────────────────────
 Bouncer: CADDY
───────────────────────────────────────────────────────
 Created At    2025-08-20 13:20:42.028418007 +0000 UTC
 Last Update   2025-09-09 09:17:12.657264892 +0000 UTC
 Revoked?      false
 IP Address    172.18.0.3
 Type          caddy-cs-bouncer
 Version       v0.9.2
 Last Pull     2025-09-09 09:17:12.478232526 +0000 UTC
 Auth type     api-key
 OS            ?
 Auto Created  false
───────────────────────────────────────────────────────raspi@raspberrypi3:~/docker/caddy $ sudo docker compose -f /home/raspi/docker/caddy/docker-compose.yml exec -t crowdsec cscli bouncers inspect CADDY@172.18.0.2
───────────────────────────────────────────────────────
 Bouncer: CADDY@172.18.0.2
───────────────────────────────────────────────────────
 Created At    2025-08-21 08:09:24.288459346 +0000 UTC
 Last Update   2025-09-01 07:18:46.166292535 +0000 UTC
 Revoked?      false
 IP Address    172.18.0.2
 Type          caddy-cs-bouncer
 Version       v0.9.2
 Last Pull     2025-09-01 07:18:46.098599646 +0000 UTC
 Auth type     api-key
 OS            ?
 Auto Created  true
───────────────────────────────────────────────────────raspi@raspberrypi3:~/docker/caddy $ sudo docker compose -f /home/raspi/docker/caddy/docker-compose.yml exec -t crowdsec cscli bouncers inspect host-firewall-bouncer
───────────────────────────────────────────────────────
 Bouncer: host-firewall-bouncer
───────────────────────────────────────────────────────
 Created At    2025-08-22 08:37:55.349479112 +0000 UTC
 Last Update   2025-08-22 08:49:36.351681636 +0000 UTC
 Revoked?      false
 IP Address    192.168.8.18
 Type          curl
 Version       7.88.1
 Last Pull     2025-08-22 08:49:36.35166898 +0000 UTC
 Auth type     api-key
 OS            ?
 Auto Created  false
───────────────────────────────────────────────────────raspi@raspberrypi3:~/docker/caddy $ sudo docker compose -f /home/raspi/docker/caddy/docker-compose.yml exec -t crowdsec cscli bouncers inspect host-firewall-bouncer@172.18.0.1
───────────────────────────────────────────────────────────────────────────────────────
 Bouncer: host-firewall-bouncer@172.18.0.1
───────────────────────────────────────────────────────────────────────────────────────
 Created At    2025-08-22 08:52:06.962371146 +0000 UTC
 Last Update   2025-09-09 08:43:06.582544342 +0000 UTC
 Revoked?      false
 IP Address    172.18.0.1
 Type          crowdsec-firewall-bouncer
 Version       v0.0.34-debian-pragmatic-arm64-4144555453620958398aee64253dfd90bbc1f698
 Last Pull     2025-09-09 08:43:06.366895709 +0000 UTC
 Auth type     api-key
 OS            Debian GNU/Linux/12
 Auto Created  true

Thanks in advance

3

Hello

I wanted to update the information in case anyone finds it useful since I’m talking to @iiAmLoz on the Discord and It’s a very kind person, THANKS!!

Both Crowdsec and FW Bouncer are working fine, there is nothing in the kern.log because I am behind a Cloudflare tunnel and it bypasses the firewall so there is no mach in the FW rule.
I have done a test by opening ports and if there is mach.

There are two questions left to answer.

  1. Which version of the bouncer should I use (nftables or iptables) because Debian 12 uses nftables but has iptables_nf which translates between iptables and nftables.
    I’ve tried both and they both seem to work well.

  2. Is the configuration of nftables_hook with lowercase strings correct or do they have to be uppercase?
    What value should have priority?

When I have the answers I will complete the thread.

Greetings and thanks to the Crowdsec team.