1 #!/bin/sh /etc/rc.common
7 NAME
=crowdsec-firewall-bouncer
8 PROG
=/usr
/bin
/cs-firewall-bouncer
9 VARCONFIGDIR
=/var
/etc
/crowdsec
/bouncers
10 VARCONFIG
=/var
/etc
/crowdsec
/bouncers
/crowdsec-firewall-bouncer.yaml
12 CONFIGURATION
=crowdsec
18 procd_add_reload_trigger crowdsec-firewall-bouncer
19 procd_add_config_trigger
"config.change" "crowdsec" /etc
/init.d
/crowdsec-firewall-bouncer reload
26 local update_frequency
38 local input_chain_name
39 local input6_chain_name
41 config_get update_frequency
$section update_frequency
'10s'
42 config_get log_level
$section log_level
'info'
43 config_get api_url
$section api_url
"http://127.0.0.1:8080"
44 config_get api_key
$section api_key
"API_KEY"
45 config_get_bool ipv6
$section ipv6
'1'
46 config_get deny_action
$section deny_action
"drop"
47 config_get_bool deny_log
$section deny_log
'0'
48 config_get log_prefix
$section log_prefix
"crowdsec: "
49 config_get log_max_size
$section log_max_size
'100'
50 config_get log_max_backups
$section log_max_backups
'3'
51 config_get log_max_age
$section log_max_age
'30'
52 config_get_bool ipv4
$section ipv4
'1'
53 config_get input_chain_name
$section input_chain_name
"input"
54 config_get input6_chain_name
$section input6_chain_name
"input"
56 # Create tmp dir & permissions if needed
57 if [ ! -d "${VARCONFIGDIR}" ]; then
58 mkdir
-m 0755 -p "${VARCONFIGDIR}"
61 cat > $VARCONFIG <<-EOM
64 update_frequency: $update_frequency
70 log_max_size: $log_max_size
71 log_max_backups: $log_max_backups
72 log_max_age: $log_max_age
75 insecure_skip_verify: true
76 disable_ipv6: boolnot($ipv6)
77 deny_action: $deny_action
78 deny_log: bool($deny_log)
79 supported_decisions_type:
82 deny_log_prefix: "$log_prefix"
83 #to change the blacklists name
84 blacklists_ipv4: crowdsec-blacklists
85 blacklists_ipv6: crowdsec6-blacklists
88 #if present, insert rule in those chains
99 chain: $input_chain_name
104 chain: $input6_chain_name
107 # an empty disables the anchor
111 listen_addr: 127.0.0.1
115 sed -i "s/bool(1)/true/g" $VARCONFIG
116 sed -i "s/bool(0)/false/g" $VARCONFIG
117 sed -i "s/boolnot(1)/false/g" $VARCONFIG
118 sed -i "s/boolnot(0)/true/g" $VARCONFIG
119 sed -i "s,^\(\s*api_url\s*:\s*\).*\$,\1$api_url," $VARCONFIG
120 sed -i "s,^\(\s*api_key\s*:\s*\).*\$,\1$api_key," $VARCONFIG
135 local input_chain_name
136 local forward_chain_name
137 local input6_chain_name
138 local forward6_chain_name
142 config_get priority
$section priority
"4"
143 config_get deny_action
$section deny_action
"drop"
144 config_get_bool deny_log
$section deny_log
'0'
145 config_get log_prefix
$section log_prefix
"crowdsec: "
146 config_get_bool ipv4
$section ipv4
'1'
147 config_get_bool ipv6
$section ipv6
'1'
148 config_get_bool filter_input
$section filter_input
'1'
149 config_get_bool filter_forward
$section filter_forward
'1'
150 config_get input_chain_name
$section input_chain_name
"input"
151 config_get forward_chain_name
$section forward_chain_name
"forward"
152 config_get input6_chain_name
$section input6_chain_name
"input"
153 config_get forward6_chain_name
$section forward6_chain_name
"forward"
154 config_get interface
$section interface
'eth1'
156 if [ "$deny_log" -eq "1" ] ; then
157 local log_term
="log prefix \"${log_prefix}\""
160 local interface
="${interface// /, }"
162 #as of kernel 3.18 we can delete a table without need to flush it
163 nft delete table ip crowdsec
2>/dev
/null
164 nft delete table ip6 crowdsec6
2>/dev
/null
166 if [ "$ipv4" -eq "1" ] ; then
168 nft add table ip crowdsec
169 nft add
set ip crowdsec crowdsec-blacklists
'{ type ipv4_addr; flags timeout; }'
171 if [ "$filter_input" -eq "1" ] ; then
172 nft add chain ip
"$TABLE" $input_chain_name "{ type filter hook input priority $priority; policy accept; }"
173 nft add rule ip
"$TABLE" $input_chain_name iifname
{ $interface } ct state new ip saddr @crowdsec-blacklists
${log_term} counter
$deny_action
175 if [ "$filter_forward" -eq "1" ] ; then
176 nft add chain ip
"$TABLE" $forward_chain_name "{ type filter hook forward priority $priority; policy accept; }"
177 nft add rule ip
"$TABLE" $forward_chain_name iifname
{ $interface } ct state new ip saddr @crowdsec-blacklists
${log_term} counter
$deny_action
181 if [ "$ipv6" -eq "1" ] ; then
183 nft add table ip6 crowdsec6
184 nft add
set ip6 crowdsec6 crowdsec6-blacklists
'{ type ipv6_addr; flags timeout; }'
186 if [ "$filter_input" -eq "1" ] ; then
187 nft add chain ip6
"$TABLE6" $input6_chain_name "{ type filter hook input priority $priority; policy accept; }"
188 nft add rule ip6
"$TABLE6" $input6_chain_name iifname
{ $interface } ct state new ip6 saddr @crowdsec6-blacklists
${log_term} counter
$deny_action
190 if [ "$filter_forward" -eq "1" ] ; then
191 nft add chain ip6
"$TABLE6" $forward6_chain_name "{ type filter hook forward priority $priority; policy accept; }"
192 nft add rule ip6
"$TABLE6" $forward6_chain_name iifname
{ $interface } ct state new ip6 saddr @crowdsec6-blacklists
${log_term} counter
$deny_action
202 config_get_bool enabled
$section enabled
0
204 if [ "$enabled" -eq "1" ] ; then
207 init_nftables
"$section"
210 procd_set_param
command "$PROG" -c "$VARCONFIG"
211 procd_set_param stdout
1
212 procd_set_param stderr
1
219 config_load
"${CONFIGURATION}"
220 config_foreach run_bouncer bouncer
227 nft delete table ip crowdsec
2>/dev
/null
228 nft delete table ip6 crowdsec6
2>/dev
/null