Same IP keeps getting banned, CTI says it's in community blocklist - firewall rule issue?

I’ve been running crowdsec for a month or so now and the same IP keeps triggering alerts, gets banned for some time, then alerts again. When I look up that IP in CTI, it says it’s in the community blocklist. I’m using firewall bouncer on ubuntu.

Here’s the alerts I see - all from the same IP:

from cscli alerts list:
image

When I check the iptables crowdsec list, it’s there:
image

Here are my iptables rules:
image

bouncer was installed with apt install crowdsec-firewall-bouncer-iptables

Also, if this helps, here’s the output from show bouncers:

Any help appreciated

Replying to my own post:

I am using Docker to host my services and Docker bypasses the iptables input chain… So I think that is why this IP wasn’t blocked in the first place (and many more apparently)

In /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml I had to uncomment the DOCKER-USER chain like so:

iptables_chains:
  - INPUT
#  - FORWARD
#  - DOCKER-USER

to:

iptables_chains:
  - INPUT
#  - FORWARD
  - DOCKER-USER

Then
service crowdsec-firewall-bouncer restart

Hopefully this fixes it.

Dear @riley , Thanks so much for this post! Took me half a day to figure out how to filter Docker traffic with the iptables bouncer. My pushover was flooded with notifications.

Appreciate that you shared this with the community :heart_hands: