FirewallBouncer works well but rules not in iptables list

Cyrille37 · April 30, 2023, 8:15am

Hello

All crowdsec stuff seems to works fine because a test remote ip was banned by scenario “crowdsecurity/http-bad-user-agent”, but I do not understand why I don’t see the IP with iptables sudo iptables -L -n -v ??

debian@www:~$ sudo cscli decisions list -o raw
INFO[30-04-2023 08:04:17] Patching yaml: '/etc/crowdsec/config.yaml' with '/etc/crowdsec/config.yaml.local' 
id,source,ip,reason,action,country,as,events_count,expiration,simulated,alert_id
164650,crowdsec,Ip:49.12.227.144,crowdsecurity/http-bad-user-agent,ban,DE,24940 Hetzner Online GmbH,2,30m42.752534251s,false,25

49.12.227.144 is well banned because a curl -I https://protectedserver.fr/ -H "User-Agent: OpenVAS" from it is blocked: curl: (28) Failed to connect to protectedserver.fr port 443: Connection timed out.

But I cannot see this IP with sudo iptables -L -n -v

crowdsec v1.4.6
FirewallBouncer-1682760977 v0.0.25
iptables v1.8.2 (nf_tables)

Thanks for help, or light

iiAmLoz · May 4, 2023, 2:38pm

We store all IP’s within an ipset for efficiency. So you will see a line at top of input:

68545 3477K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set crowdsec-blacklists src

That is our rule you can confirm the ips in the ipset by running:

ipset list crowdsec-blacklists
ipset list crowdsec6-blacklists

Topic		Replies	Views
Newbie with CrowdSec crowdsec	2	701	April 30, 2021
Decisions not applied crowdsec	3	2307	June 8, 2021
CrowdSec setup feedback and general questions crowdsec	1	400	October 19, 2023
IP is not blocked after banning by hand crowdsec	3	1119	June 4, 2022
Ipset, performance, whitelist, api, dashboard, postfix logs crowdsec	4	990	October 16, 2020

FirewallBouncer works well but rules not in iptables list

Related Topics