Iptables bouncer and other rule precedence

I have other rules installed in iptables on a server for container routing (see below).
All the containers run crowdsec and report back to the main server LAPI.
The main server has the iptables bouncer.

I recently noticed that my connection dropped to SSH on the main server because a scenario, alert and decision was triggered (http-probing due to some of my HTTP connection errors), however my connections going through the rules below (HTTP) to a container still worked fine.

I expected all my connections to be blocked.

So I guess there is a precedence issue with the bouncer rules and the PREROUTING or DNAT type rules.

Is this a bug? Can it be fixed?

auto ens192
iface ens192 inet static
	# Public interface
	address [REDACTED]/32
	gateway 10.255.255.1
	# To port-forward a specific port to a container
	post-up   iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 80    -j DNAT --to 10.0.255.1:80
	post-down iptables -t nat -D PREROUTING -i ens192 -p tcp --dport 80    -j DNAT --to 10.0.255.1:80
	post-up   iptables -t nat -A PREROUTING -i ens192 -p tcp --dport 443   -j DNAT --to 10.0.255.1:443
	post-down iptables -t nat -D PREROUTING -i ens192 -p tcp --dport 443   -j DNAT --to 10.0.255.1:443

You may check your /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml file.

I currently have this, to make it work:

iptables_chains:
- INPUT
- FORWARD
#  - DOCKER-USER

Thanks @smu44

To give a bit more background info, it seems the bouncer uses the filter iptables table (the normal default) and the iptables_chains settings control which chain traffic is blocked in. Standard chains are INPUT, FORWARD and OUTPUT. The bouncer default is INPUT only.

According to this diagram my nat table PREROUTING chain rules come before filter-INPUT, and since they are forwarding rules, it seems the traffic does not touch the filter-INPUT later in the flow diagram.

By adding the bounce rules to filter-FORWARD also, the forwarded traffic should also be affected.

Just need to uncomment - FORWARD in crowdsec-firewall-bouncer.yaml
systemctl restart crowdsec-firewall-bouncer
iptables-save to view the resulting iptables rules

1 Like