[SOLVED] Ipset list crowdsec-blacklists and crowdsec6-blacklists are empty

Hello all,
i have installed and started crowdsec and the iptables-bouncer. so far everything looks good, however the ipset lists are empty. In another installation the lists were filled.
In this installation I only changed the port, because it is already assigned on the system.

crowdsec -version
2022/04/27 09:06:05 version: v1.3.3-debian-pragmatic-1bd8cc79c891bd5a3e343d01dd807b58b85936ce
2022/04/27 09:06:05 Codename: alphaga
2022/04/27 09:06:05 BuildDate: 2022-04-26_08:35:09
2022/04/27 09:06:05 GoVersion: 1.17.5
2022/04/27 09:06:05 Platform: linux
2022/04/27 09:06:05 Constraint_parser: >= 1.0, <= 2.0
2022/04/27 09:06:05 Constraint_scenario: >= 1.0, < 3.0
2022/04/27 09:06:05 Constraint_api: v1
2022/04/27 09:06:05 Constraint_acquis: >= 1.0, < 2.0
ipset list crowdsec-blacklists 
Name: crowdsec-blacklists
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 timeout 300 bucketsize 12 initval 0x9ea5b27c
Size in memory: 456
References: 0
Number of entries: 0
Members:

Hello,

Can you show the log of the bouncer please? they are located in /var/log/crowdsec-firewall-bouncer.log

It can’t destroy it’s own ipset list?

time="27-04-2022 09:04:01" level=info msg="backend type : iptables"
time="27-04-2022 09:04:01" level=info msg="iptables for ipv4 initiated"
time="27-04-2022 09:04:01" level=info msg="iptables clean-up : /usr/sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="27-04-2022 09:04:01" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="27-04-2022 09:04:01" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec-blacklists"
time="27-04-2022 09:04:01" level=info msg="Checking existing set"
time="27-04-2022 09:04:01" level=info msg="ipset set-up : /usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300"
time="27-04-2022 09:04:02" level=info msg="Rule doesn't exist (/usr/sbin/iptables -C INPUT -m set --match-set crowdsec-blacklists src -j DROP)"
time="27-04-2022 09:04:02" level=info msg="iptables set-up : /usr/sbin/iptables -I INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="27-04-2022 09:04:02" level=info msg="iptables for ipv6 initiated"
time="27-04-2022 09:04:02" level=info msg="iptables clean-up : /usr/sbin/ip6tables -D INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="27-04-2022 09:04:02" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="27-04-2022 09:04:02" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec6-blacklists"
time="27-04-2022 09:04:02" level=info msg="Checking existing set"
time="27-04-2022 09:04:02" level=info msg="ipset set-up : /usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6"
time="27-04-2022 09:04:03" level=warning msg="iptables check command (/usr/sbin/ip6tables -C INPUT -m set --match-set crowdsec6-blacklists src -j DROP) failed : exit status 1"
time="27-04-2022 09:04:03" level=info msg="iptables set-up : /usr/sbin/ip6tables -I INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="27-04-2022 09:04:03" level=info msg="Processing new and deleted decisions . . ."
time="27-04-2022 09:04:03" level=error msg="API error: access forbidden"
time="27-04-2022 09:04:03" level=error msg="terminating bouncer process"
time="27-04-2022 09:04:03" level=error msg="process return with error: stream api init failed"
time="27-04-2022 09:04:03" level=info msg="iptables clean-up : /usr/sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="27-04-2022 09:04:03" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec-blacklists"
time="27-04-2022 09:04:03" level=error msg="set destroy error : exit status 1 - ipset v7.10: Set cannot be destroyed: it is in use by a kernel component\n"
time="27-04-2022 09:04:03" level=info msg="iptables clean-up : /usr/sbin/ip6tables -D INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="27-04-2022 09:04:03" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec6-blacklists"
time="27-04-2022 09:04:03" level=error msg="set destroy error : exit status 1 - ipset v7.10: Set cannot be destroyed: it is in use by a kernel component\n"

From the logs time="27-04-2022 09:04:03" level=error msg="API error: access forbidden" , it seems that the bouncer get a 403 return code from the local API.

Can you try to register the bouncer on the crowdsec LAPI side (cscli bouncers add <bouncer_name>), get the api key, set it in the bouncer configuration (/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml) and then restart the bouncer ?

1 Like

perfect, that worked, thanks!