Hello,
my Linux-configuration:
- crowdsec & crowdsec-firewall installed localy
- iptable
- traefik as docker container
The IPs that come through the Crowdsec community aren’t blocked for me. For example, I have one or more IPs listed in crowdsec-blacklists-3 that aren’t DROPED by iptables. I think I have a misconfiguration.
iptables -S shows like:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N CROWDSEC_CHAIN
-N DOCKER
-N DOCKER-BRIDGE
-N DOCKER-CT
-N DOCKER-FORWARD
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -j CROWDSEC_CHAIN
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-FORWARD
-A CROWDSEC_CHAIN -m set --match-set crowdsec-blacklists-3 src -j DROP
-A CROWDSEC_CHAIN -m set --match-set crowdsec-blacklists-2 src -j DROP
-A CROWDSEC_CHAIN -m set --match-set crowdsec-blacklists-1 src -j DROP
-A CROWDSEC_CHAIN -m set --match-set crowdsec-blacklists-0 src -j DROP
can you help me?
I think you need to add Crowdsec docker container in the same network as traefik to block IPs if you already haven’t. Maybe can follow the instructions from this post :
Thanks for your reply.
I have Crowdsec installed locally, not via Docker containers. Crowdsec works fine with the containers; IPs are blocked, for example, for hhtp_probing via the local API.
The blacklists are synchronized correctly and contain many IPs.
My Problem is that IPs on the blacklists are not blocked / droped.
Why? What’s wrong with the configuration?
Did you install crowdsec traefik bouncer? Without that Crowdsec cannot block IPs proxy with traefik.
It depends on your setup, from the iptables dump I can see you haven’t enabled the DOCKER_USER chain which is needed to place the drop rule on docker routing.
If you use Cloudflare or another upstream proxy then yes you need to use the traefik plugin / layer 7 remediation on the webserver.
Reinstalling the firewall bouncer seems to solve my problem.