No rules added to nftables in fedora

Thenesis · February 20, 2024, 3:25am

Hi,

I’ve installed crowdsec on my fedora vps through a manual installation (since I was not sure the script was any good for fedora, so I did it manually with the help of tutorial but there is no added ip in the nftables.
Which I check with

nft list ruleset | grep x.x.x.x

the rules added by fail2ban to firewalld or directly maybe to nftables are done it properly.
So I guess it is the lack of bouncers since I’ve added the iptables collections which are compatbles with nft according to the documentation.

But I don’t know which bouncer to choose? And if there is no need then I don’t see what else I can do or what have I could have done wrong?

Decisions are done properly by the way since I have a list of ip which are declared banned and all that.

iiAmLoz · February 20, 2024, 10:34am

We create 2 separate tables here example output, if you have installed the nftables remediation component of course.

table ip crowdsec {
    set crowdsec-blacklists {
        type ipv4_addr
        flags timeout
       elements = { 1.9.78.242 timeout 6d20h59m55s504ms expires 6d20h58m29s724ms,
       ..
       223.247.218.112 timeout 6d10h59m55s500ms expires 6d10h58m29s716ms}
     }

     chain crowdsec-chain-input {
       type filter hook input priority filter - 10; policy accept;
       ip saddr @crowdsec-blacklists counter packets 0 bytes 0 drop
     }

     chain crowdsec-chain-forward {
        type filter hook forward priority filter - 10; policy accept;
        ip saddr @crowdsec-blacklists counter packets 0 bytes 0 drop
     }
}
table ip6 crowdsec6 {
    set crowdsec6-blacklists {
      type ipv6_addr
      flags timeout
      elements = { 2001:470:1:332::2 timeout 6d20h59m55s504ms expires 6d20h58m29s708ms,
      ..
     2001:470:1:c84::31 timeout 6d17h59m55s504ms expires 6d17h58m29s708ms }
     }

    chain crowdsec6-chain-input {
      type filter hook input priority filter - 10; policy accept;
      ip6 saddr @crowdsec6-blacklists counter packets 0 bytes 0 drop
    }

    chain crowdsec6-chain-forward {
      type filter hook forward priority filter - 10; policy accept;
      ip6 saddr @crowdsec6-blacklists counter packets 0 bytes 0 drop
    }
}

Thenesis · February 20, 2024, 10:35am

I’m pretty sure it is not the case on my setup. IT has not done it when installing the package

iiAmLoz · February 20, 2024, 10:36am

No its a separate package

dnf install crowdsec-firewall-bouncer-nftables

Thenesis · February 20, 2024, 10:37am

oooow okey then it’s more understandable. Because I only have 3 tables right now, nat, filter and inet firewalld
I’m going to check by installing this package then. Did I miss it in the documentation?

Thenesis · February 20, 2024, 10:38am

no package from that name on your repo. I’m going to list the packages available
and if I try the custom-bouncer normal I get that:

crowdsec-custom-bouncer[64043]: time=“09-03-2024 22:33:06” level=fatal msg=“unable to load configuration: binary ‘${BINARY_PATH}’ doesn’t exist”

iiAmLoz · February 20, 2024, 10:38am

We have this warning prompt

Because CrowdSec is only the detection engine

Thenesis · February 20, 2024, 10:39am

You only have those packages apparently

===================================================================================================================== Name & Summary Matched: crowdsec ======================================================================================================================crowdsec.x86_64 : Crowdsec - An open-source, lightweight agent to detect and respond to bad behaviors. It also automatically benefits from our global community-wide IP reputation database
crowdsec.src : Crowdsec - An open-source, lightweight agent to detect and respond to bad behaviors. It also automatically benefits from our global community-wide IP reputation database
crowdsec-custom-bouncer.x86_64 : Custom bouncer for Crowdsec
crowdsec-custom-bouncer.src : Custom bouncer for Crowdsec
crowdsec-openresty-bouncer.x86_64 : OpenResty bouncer for Crowdsec
crowdsec-openresty-bouncer.src : OpenResty bouncer for Crowdsec

iiAmLoz · February 20, 2024, 10:39am

Which version of Fedora are you running?

Thenesis · February 20, 2024, 10:40am

39
the repo is this it?
https://packagecloud.io/crowdsec/crowdsec/fedora/39/$basearch

Thenesis · February 20, 2024, 5:39pm

I guess that you did not made the transition from 38 to 39 completely or something like that?

Thenesis · March 9, 2024, 10:31pm

@iiAmLoz any news about fedora? Or should I install the custom bouncer but then I guess I need to load an entire custom configuration ?

iiAmLoz · March 10, 2024, 8:21pm

You can install it via our github repo whilst we are working on the 39 build cycle.

cd /tmp
wget -qO- https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v0.0.28/crowdsec-firewall-bouncer.tgz | tar -xz
cd crowdsec-firewall-bouncer*
sudo ./install.sh

Thenesis · March 22, 2024, 2:45pm

do you have any news page or status page for your builds so that people from the community could monitor it on your behalf in case you forget something like that one ?
I have just done your protocol since I did not yet find them in the repo.
I will tell you in a few hours if it is working properly

according to the ruleset from nftables it works as expected:

table ip6 crowdsec6 {
set crowdsec6-blacklists {
type ipv6_addr
flags timeout
elements = { 2001:470:1:332::8 timeout 4d18h31m10s407ms expires 4d17h31m27s768ms,
2001:470:1:332::28 timeout 3d12h27m56s414ms expires 3d11h28m13s775ms,
2001:470:1:332::166 timeout 2d12h27m56s414ms expires 2d11h28m13s775ms,
2001:470:1:c84::11 timeout 6d11h31m10s409ms expires 6d10h31m27s770ms,

table ip crowdsec {
set crowdsec-blacklists {
type ipv4_addr
flags timeout
elements = { 1.6.90.157 timeout 5d5h31m10s407ms expires 5d4h31m27s776ms, 1.6.166.235 timeout 4d15h31m10s407ms expires 4d14h31m27s780ms,
1.7.180.245 timeout 6d13h31m10s409ms expires 6d12h31m27s804ms, 1.9.78.242 timeout 6d22h31m10s413ms expires 6d21h31m27s818ms,
1.9.128.2 timeout 6d20h31m10s411ms expires 6d19h31m27s779ms, 1.9.249.234 timeout 6d20h31m10s411ms expires 6d19h31m27s780ms,
1.11.62.190 timeout 5d31m10s407ms expires 4d23h31m27s777ms, 1.12.37.144 timeout 6d17h31m10s410ms expires 6d16h31m27s776ms,
1.12.42.63 timeout 4d3h27m56s414ms expires 4d2h28m13s808ms, 1.12.49.106 timeout 6d8h31m10s409ms expires 6d7h31m27s807ms,
1.12.220.16 timeout 6d13h31m10s410ms expires 6d12h31m27s767ms, 1.12.220.225 timeout 5d9h31m10s408ms expires 5d8h31m27s761ms,
1.12.230.7 timeout 6d21h31m10s411ms expires 6d20h31m27s780ms, 1.12.233.148 timeout 6d9h31m10s409ms expires 6d8h31m27s791ms,
1.12.236.95 timeout 6d15h31m10s410ms expires 6d14h31m27s803ms, 1.12.240.127 timeout 6d18h31m10s410ms expires 6d17h31m27s798ms,

Topic		Replies	Views
Cs-firewall-bouncer and nftables crowdsec	9	2837	June 1, 2021
Crowdsec ok - Bouncer-nft not working	6	1045	March 25, 2022
Ip ranges, cs-firewall-bouncer and nftables	1	579	September 28, 2021
Nftables mode of firewall bouncer crowdsec	2	656	September 2, 2021
FirewallBouncer works well but rules not in iptables list crowdsec	1	1346	May 4, 2023

No rules added to nftables in fedora

Related Topics