Hi everybody
I have set up multi node installation as shown here https://www.crowdsec.net/blog/multi-server-setup
So i have one agent node and one lapi node
I have added and started iptables-bouncer on lapi side using
cscli bouncer add bouncer
When i get decision i see it on agent node,
INFO[20-11-2023 11:13:01 PM] Local Api Decisions:
+----------------------------------------+----------+--------+-------+
| REASON | ORIGIN | ACTION | COUNT |
+----------------------------------------+----------+--------+-------+
| crowdsecurity/nginx-req-limit-exceeded | crowdsec | ban | 1 |
+----------------------------------------+----------+--------+-------+
but bouncer didn’t block banned ip
The iptables rule based on ipset created
[root@lb1 user]# iptables -nvL
Chain INPUT (policy ACCEPT 116K packets, 392M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set crowdsec-blacklists src
I saw ipset - it’s created, but empty
[root@lb1 user]# ipset list
Name: crowdsec-blacklists
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 timeout 300
Size in memory: 376
References: 1
Number of entries: 0
Members:
Name: crowdsec6-blacklists
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536 timeout 300
Size in memory: 1160
References: 1
Number of entries: 0
Members:
Everything seems fine from these logs, are you applications within Docker? as the INPUT chain is bypassed for this and you need to configure DOCKER-USER within the bouncer config.
Re reading the top, did you configure your bouncer to communicate to the main lapi node?
Crowdsec runned with docker engine, but bounser worked on host
Yep, bouncer configured to communicate to the lapi
WARN[23-11-2023 12:13:34 PM] can't load CAPI credentials from '/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[23-11-2023 12:13:34 PM] push and pull to Central API disabled
-------------------------------------------------------------------------------------------------------------------------------------------------------------
NAME IP ADDRESS VALID LAST API PULL TYPE VERSION AUTH TYPE
-------------------------------------------------------------------------------------------------------------------------------------------------------------
stage1-firewall *.*.*.* ✔️ 2023-11-23T15:13:32+03:00 crowdsec-firewall-bouncer v0.0.24-rc1-0540b335e545b884d71e509ba9b437f9d67ee53c api-key
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Looks like i found sollution
I haven’t disable api on agent nodes
Since i have run it in docker i set variable $DISABLE_LOCAL_API to true in docker_start.sh