FirewallBouncer works well but rules not in iptables list

Hello

All crowdsec stuff seems to works fine because a test remote ip was banned by scenario “crowdsecurity/http-bad-user-agent”, but I do not understand why I don’t see the IP with iptables sudo iptables -L -n -v ??

debian@www:~$ sudo cscli decisions list -o raw
INFO[30-04-2023 08:04:17] Patching yaml: '/etc/crowdsec/config.yaml' with '/etc/crowdsec/config.yaml.local' 
id,source,ip,reason,action,country,as,events_count,expiration,simulated,alert_id
164650,crowdsec,Ip:49.12.227.144,crowdsecurity/http-bad-user-agent,ban,DE,24940 Hetzner Online GmbH,2,30m42.752534251s,false,25

49.12.227.144 is well banned because a curl -I https://protectedserver.fr/ -H "User-Agent: OpenVAS" from it is blocked: curl: (28) Failed to connect to protectedserver.fr port 443: Connection timed out.

But I cannot see this IP with sudo iptables -L -n -v :frowning:

  • crowdsec v1.4.6
  • FirewallBouncer-1682760977 v0.0.25
  • iptables v1.8.2 (nf_tables)

Thanks for help, or light :slight_smile:

We store all IP’s within an ipset for efficiency. So you will see a line at top of input:

68545 3477K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set crowdsec-blacklists src

That is our rule you can confirm the ips in the ipset by running:

ipset list crowdsec-blacklists
ipset list crowdsec6-blacklists
2 Likes