Crowdsec ok - Bouncer-nft not working

Hello,

The bouncer-nft doesnt work at all.
I should have entry like those in my nft ruleset:

table ip crowdsec {
        set crowdsec-blacklists {
                type ipv4_addr
                flags timeout
                elements = { xxx.xxx.xxx.xxx timeout 6d16h56m45s16ms expires 6d16h14m37s824ms, 1.9.78.242 timeout 6d19h56m45s20ms expires 6d19h14m38s8ms,
# from another working server using samehardware and same distro !!!

and i should have those line in my journalctrl

 kernel: crowdsec drop: IN=enp5s0f1 OUT= MAC=00:1b:21:bc:e0:a1:34:27:92:60:e0:ca:08:00 SRC=XXX.XXX.XXX.XXX DST=192.168.1.137 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=18178 DF PROTO=TCP SPT=42544 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

Unfortunatly, nothing works…

• My server specs

My server run Linux-Debian11.2 5.10.0-12-amd64 #1 SMP  5.10.103-1 (2022-03-07) x86_64 GNU/Linux
Apache/2.4.52 
PHP 8.0.16 
using UFW over nftables

• Crowdsec Information and specs

2022/03/17 21:22:58 version: v1.3.2-debian-pragmatic-b66366c28c9b0c8843913afb05c553e658513d63
2022/03/17 21:22:58 Codename: alphaga
2022/03/17 21:22:58 BuildDate: 2022-03-04_12:05:09
2022/03/17 21:22:58 GoVersion: 1.17.5
2022/03/17 21:22:58 Platform: linux
2022/03/17 21:22:58 Constraint_parser: >= 1.0, <= 2.0
2022/03/17 21:22:58 Constraint_scenario: >= 1.0, < 3.0
2022/03/17 21:22:58 Constraint_api: v1
2022/03/17 21:22:58 Constraint_acquis: >= 1.0, < 2.0

`cscli bouncer list`
`FirewallBouncer-1647543472  127.0.0.1   ✔️      2022-03-17T20:23:51Z  crowdsec-firewall-bouncer  v0.0.23-debian-pragmatic-5a27e28ac5b528ab02fc35ae81459f75f69a3866`

• Bouncer Information

Installation via apt install crowdsec-firewall-bouncer-nftables

mode: nftables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: http://127.0.0.1:8080/
api_key: myapikey
insecure_skip_verify: false
disable_ipv6: false
deny_action: DROP
deny_log: false
supported_decisions_types:
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
#if present, insert rule in those chains
iptables_chains:
  - INPUT
#  - FORWARD
#  - DOCKER-USER

## nftables
nftables:
  ipv4:
    enabled: true
    set-only: false
    table: crowdsec
    chain: crowdsec-chain
  ipv6:
    enabled: true
    set-only: false
    table: crowdsec6
    chain: crowdsec6-chain
# packet filter
pf:
  # an empty string disables the anchor
  anchor_name: ""

• Crowdsec informations

cscli metrics

INFO[17-03-2022 09:27:57 PM] Buckets Metrics:
+--------------------------------------+---------------+-----------+--------------+--------+---------+
|                BUCKET                | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/http-crawl-non_statics | -             | -         |            1 |      1 |       1 |
| crowdsecurity/http-probing           | -             | -         |            2 |      2 |       2 |
+--------------------------------------+---------------+-----------+--------------+--------+---------+
INFO[17-03-2022 09:27:57 PM] Acquisition Metrics:
+----------------------------------+------------+--------------+----------------+------------------------+
|              SOURCE              | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+----------------------------------+------------+--------------+----------------+------------------------+
| file:/var/log/apache2/access.log |       3224 |         3100 |            124 |                      3 |
| file:/var/log/auth.log           |         54 | -            |             54 | -                      |
| file:/var/log/kern.log           |          4 | -            |              4 | -                      |
| file:/var/log/messages           |          4 | -            |              4 | -                      |
| file:/var/log/syslog             |         48 | -            |             48 | -                      |
+----------------------------------+------------+--------------+----------------+------------------------+
INFO[17-03-2022 09:27:57 PM] Parser Metrics:
+----------------------------------+------+--------+----------+
|             PARSERS              | HITS | PARSED | UNPARSED |
+----------------------------------+------+--------+----------+
| child-crowdsecurity/apache2-logs | 3348 |   3100 |      248 |
| child-crowdsecurity/http-logs    | 9300 |   9292 |        8 |
| child-crowdsecurity/sshd-logs    |   54 | -      |       54 |
| child-crowdsecurity/syslog-logs  |  110 |    110 | -        |
| crowdsecurity/apache2-logs       | 3224 |   3100 |      124 |
| crowdsecurity/dateparse-enrich   | 3100 |   3100 | -        |
| crowdsecurity/geoip-enrich       | 3100 |   3100 | -        |
| crowdsecurity/http-logs          | 3100 |   3096 |        4 |
| crowdsecurity/non-syslog         | 3224 |   3224 | -        |
| crowdsecurity/sshd-logs          |    6 | -      |        6 |
| crowdsecurity/syslog-logs        |  110 |    110 | -        |
| crowdsecurity/whitelists         | 3100 |   3100 | -        |
+----------------------------------+------+--------+----------+
INFO[17-03-2022 09:27:57 PM] Local Api Metrics:
+----------------------+--------+------+
|        ROUTE         | METHOD | HITS |
+----------------------+--------+------+
| /v1/decisions/stream | GET    |  153 |
| /v1/watchers/login   | POST   |    2 |
+----------------------+--------+------+
INFO[17-03-2022 09:27:57 PM] Local Api Bouncers Metrics:
+----------------------------+----------------------+--------+------+
|          BOUNCER           |        ROUTE         | METHOD | HITS |
+----------------------------+----------------------+--------+------+
| FirewallBouncer-1647543472 | /v1/decisions/stream | GET    |  153 |
+----------------------------+----------------------+--------+------+

• Logs

crowdsec.log and crowdsec_api.log are clean… no errors.

bouncer log is also clean.

time=“17-03-2022 20:52:03” level=info msg=“backend type : nftables”
time=“17-03-2022 20:52:03” level=info msg=“nftables initiated”
time=“17-03-2022 20:52:03” level=info msg=“Processing new and deleted decisions . . .”
time=“17-03-2022 20:52:05” level=info msg=“11731 decisions added”

• nft ruleset

nice and working i am pretty sure.

table ip crowdsec {
        set crowdsec-blacklists {
                type ipv4_addr
                flags timeout
                elements = {

I have absolutely no clue why this install doesn’t work …

I had a working crowdsec/bouncers on that server before an apt-get update/upgrade

I used apt-get to desinstall/purge the previous corrupted crowdsec/bouncer.
And used again apt-get install for this installation …

Is it the good place to ask for help, not even one answer in almost a week …
I log 40.6K attack since last march17, and not one is bounced

well, i am done asking for help… goinf full purge/reinstall and see by myself

Hello @stratege1401 ,

We are really sorry for the delay. It is the right place to ask, or you can even go to our discord server if you want interactive help.

We have tested the v0.0.23 and it worked well.
Did you manage to install with from a fresh installation?
Else do you have the output of the apt install crowdsec-firewall-bouncer-nftables command please ? So we can check if something is going wrong during the installation.

Thanks, i hate discord, so i wont use it… ( already tried, was not even able to see the human quizz, so i wont loose temper with it )

I manage to fix the problem by purging crowdsec bouncers from the server… Did not notice it was deprecated…

Work almost fine …

Hey @stratege1401

Do you have some feedback to share about the almost part ? (meaning the part that doesn’t work or that you dislike )

In fact, as the problem became really smaller than this original post, and some details changed due to some update and twitch, i did create a new thread: