I’m a new user of Crowdsec and I’m afraid I start with a complicated installation
For my experiments I have two devices with Crowdsec installed in both. On the one hand, I have a RPi with armbian with ssh activated in a non standard port in a LAN. SSH Crowdsec parsers are installed there and they should read /var/log/auth.log. On the other side, the local API and the iptables bouncer are installed in the second device, a openwrt machine acting as a router between the WAN and the LAN, with the firewall enabled. I have added a port forwarding rule from the WAN to the LAN to be able to connect via SSH the RPi in the LAN with the WAN. After typing the command: “sudo cscli decisions add -i XX.XX.XX.XX --duration 10m” in the RPi to block a remote machine I also have access, Crowdsec performs the task successfully. I can see the decision perfectly in both the RPi and the openwrt router (cscli decisions list). When I write in the router “nft list ruleset | less” the IP I want to block is included but the port forwarding is not blocked and I can access from the blocked IP. I wonder if I could block it in some way or I need to add the firewall in my RPi as well.
Which version of the firewall-bouncer are you running please, and can you share your bouncer configuration ? I’m not sure that by default the table/chain in which the nftables bouncer will inject rules would take the precedence over forward tables.
I’m using the version 0.0.21, the last version available from the openwrt repositories. I checked the development branch and they are not compiling a new version for the moment. I will try to compile the current version from the source code tonight.
I’m using the default options come in the openwrt package:
ban #to change log prefix #deny_log_prefix: "crowdsec: " #to change the blacklists name #blacklists_ipv4: crowdsec-blacklists #blacklists_ipv6: crowdsec6-blacklists #if present, insert rule in those chains
iptables_chains:
At the end, I have removed OpenWRT from my second device (I had other problems because it is currently supported in the development branch) and I have installed a Debian-based distro combined with Shorewall. Using the custom bouncer and the “shorewall blacklist” command, the system works adequately. Among other problems in OpenWRT, the iptables firewall bouncer was removed from the development branch and I tried to compile the package from the previous stable version but I do not have a lot of experience with this distro and I could not finish successfully the package building. It could be interesting to ask for the package to the OpenWRT developpers before the new stable version was released.
Thank you for your suggestion, Thibault, to find a workaround