Install bouncer on OpenWrt 21.02.2

I finally got the Crowdsec bouncer running on my OpenWrt router. :smiley:

  • Local Api is running on a different device, not the router itself
  • Blocking only applies to WAN interface

This is a very lightweight implementation. Installing the crowdsec-openwrt-bouncer package ends with an error due to missing cscli in the package. This can be ignored, it will be removed in a newer version.

After install, I edited the /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

mode: "ipset"
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://cs-lapi:8014/
api_key: ***********************************
disable_ipv6: false
deny_action: DROP
deny_log: true
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
#blacklists_ipv4: crowdsec-blacklists
#blacklists_ipv6: crowdsec6-blacklists
#if present, insert rule in those chains
#  - INPUT

Disabling the entries for the iptables_chains makes it neccessary to create the rules manually, so I created the following in Firewall Custom Rules:

# Crowdsec Bouncer:
ipset create crowdsec-blacklists hash:ip timeout 0 maxelem 150000
ipset create crowdsec6-blacklists hash:ip timeout 0 family inet6 maxelem 150000

iptables -N crowdsec_bouncer

iptables -A crowdsec_bouncer -m hashlimit --hashlimit-name CROWDSEC --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-mode srcip -j LOG --log-level info --log-prefix '** crowdsec match: '
iptables -A crowdsec_bouncer -j DROP

iptables -I FORWARD 4 -i wan -m set --match-set crowdsec-blacklists src -j crowdsec_bouncer

ip6tables -N crowdsec_bouncer

ip6tables -A crowdsec_bouncer -m hashlimit --hashlimit-name CROWDSEC --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-mode srcip -j LOG --log-level info --log-prefix '** crowdsec match: '
ip6tables -A crowdsec_bouncer -j DROP

ip6tables -I FORWARD 4 -i wan -m set --match-set crowdsec6-blacklists src -j crowdsec_bouncer

That’s it.

I do not understand why you need to remove this ?

And why you need to add some specific firewall rules…

Did the default ones, from OpenWrt, do not worked ?
The INPUT and FORWARD are both selected to take care of WAN and forwarded services from WAN…

Yes, already in a pending PR at OpenWrt, as discussed there (with you…) :wink:

With my installation it did not create any firewall rules. This might be because the installation of the package ‘failed’, I’m not sure.
I did this, to have control over the rules as

  • I did a limitation of the logging (blocked ip is only logged once per hour)
  • I wanted to control where I get my rule placed (after ‘accept related/estabished’, after ‘drop invalid’ and after the accept for the IPTV (passing those packets to the crowdsec ipset test would be simply too much, the udp stream is not ‘established’).
  • I don’t need it in the input chain, as this is blocking nearly everything from outside by default (except for the needed dhcp and for the Wireguard access).