IP is not blocked after banning by hand

Hello everybody,

I’m a new user of Crowdsec and I’m afraid I start with a complicated installation :grinning: :wink:
For my experiments I have two devices with Crowdsec installed in both. On the one hand, I have a RPi with armbian with ssh activated in a non standard port in a LAN. SSH Crowdsec parsers are installed there and they should read /var/log/auth.log. On the other side, the local API and the iptables bouncer are installed in the second device, a openwrt machine acting as a router between the WAN and the LAN, with the firewall enabled. I have added a port forwarding rule from the WAN to the LAN to be able to connect via SSH the RPi in the LAN with the WAN. After typing the command: “sudo cscli decisions add -i XX.XX.XX.XX --duration 10m” in the RPi to block a remote machine I also have access, Crowdsec performs the task successfully. I can see the decision perfectly in both the RPi and the openwrt router (cscli decisions list). When I write in the router “nft list ruleset | less” the IP I want to block is included but the port forwarding is not blocked and I can access from the blocked IP. I wonder if I could block it in some way or I need to add the firewall in my RPi as well.

Thank you in advance!!

Hello !

Which version of the firewall-bouncer are you running please, and can you share your bouncer configuration ? I’m not sure that by default the table/chain in which the nftables bouncer will inject rules would take the precedence over forward tables.

Hello Thibault:

I’m using the version 0.0.21, the last version available from the openwrt repositories. I checked the development branch and they are not compiling a new version for the moment. I will try to compile the current version from the source code tonight.

I’m using the default options come in the openwrt package:

mode: ${BACKEND} pid_dir: /var/run/ update_frequency: 10s daemonize: true log_mode: file log_dir: /var/log/ log_level: info
disable_ipv6: false
deny_action: DROP
deny_log: false

  • ban
    #to change log prefix
    #deny_log_prefix: "crowdsec: "
    #to change the blacklists name
    #blacklists_ipv4: crowdsec-blacklists
    #blacklists_ipv6: crowdsec6-blacklists
    #if present, insert rule in those chains


Thank you in advance for your answers and advices

At the end, I have removed OpenWRT from my second device (I had other problems because it is currently supported in the development branch) and I have installed a Debian-based distro combined with Shorewall. Using the custom bouncer and the “shorewall blacklist” command, the system works adequately. Among other problems in OpenWRT, the iptables firewall bouncer was removed from the development branch and I tried to compile the package from the previous stable version but I do not have a lot of experience with this distro and I could not finish successfully the package building. It could be interesting to ask for the package to the OpenWRT developpers before the new stable version was released.

Thank you for your suggestion, Thibault, to find a workaround