22.03.0: workaround for running CrowdSec bouncer

With installing OpenWrt 22.03.0 I realised that the crowdsec-firewall-bouncer package is not avaliable.

To fix this, I logged in into the router and downloaded the package form 21.02.3 branch here directly and installed manually.

wget https://downloads.openwrt.org/releases/21.02.3/packages/arm_cortex-a9_vfpv3-d16/packages/crowdsec-firewall-bouncer_0.0.21-3_arm_cortex-a9_vfpv3-d16.ipk
opkg install crowdsec-firewall-bouncer_0.0.21-3_arm_cortex-a9_vfpv3-d16.ipk

With this crowdsec showed up in UI in System -> Startup section.

Before starting I edited /etc/crowdsec/bouncer/crowdsec-firewall-bouncer.yaml. This is how mine is looking:

mode: nftables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://cs-lapi:8014/
api_key: ****************************
disable_ipv6: false
deny_action: DROP
deny_log: true
supported_decisions_types:
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
#blacklists_ipv4: crowdsec-blacklists
#blacklists_ipv6: crowdsec6-blacklists
#if present, insert rule in those chains
#iptables_chains:
#  - INPUT
#  - FORWARD
#  - DOCKER-USER
nftables:
  ipv4:
    enabled: true
    set-only: true
    table: crowdsec
    chain: crowdsec-chain
  ipv6:
    enabled: true
    set-only: true
    table: crowdsec6
    chain: crowdsec6-chain

You'll need to set your own values for api_url and api_key.

Now restart the bouncer in UI in System -> Startup.

The bouncer shall (or it shouldn't but it does) create tables for ip and ip6 with one chain each which are hooking into input path. I don't need this as this is not a server, but a router and the router wan is completely protected. So I modified the crowdsec tables with:

nft delete chain ip crowdsec crowdsec-chain
nft delete chain ip6 crowdsec6 crowdsec6-chain 

nft add chain ip crowdsec crowdsec-chain '{ type filter hook forward priority 4; policy accept; }'
nft add rule ip crowdsec crowdsec-chain iifname { wan, wg1 } ct state new ip saddr @crowdsec-blacklists log prefix \"crowdsec: \" counter drop

nft add chain ip6 crowdsec6 crowdsec6-chain '{ type filter hook forward priority 4; policy accept; }'
nft add rule ip6 crowdsec6 crowdsec6-chain iifname { wan, wg1 } ct state new ip6 saddr @crowdsec6-blacklists log prefix \"crowdsec: \" counter drop

I have the crowdsec filter working on wan and a wireguard interface. You may reduce the statements to wan only. Also, logging is done to syslog, you can check the bouncer working in UI.

This is how it looks in UI:

Hope it helps

1 Like