#!/bin/sh /etc/rc.common USE_PROCD=1 START=99 NAME=crowdsec-firewall-bouncer PROG=/usr/bin/cs-firewall-bouncer VARCONFIGDIR=/var/etc/crowdsec/bouncers VARCONFIG=/var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml CONFIGURATION=crowdsec TABLE="crowdsec" TABLE6="crowdsec6" service_triggers() { procd_add_reload_trigger crowdsec-firewall-bouncer procd_add_config_trigger "config.change" "crowdsec" /etc/init.d/crowdsec-firewall-bouncer reload } init_yaml() { local section="$1" local update_frequency local log_level local api_url local api_key local ipv6 local deny_action local deny_log local log_prefix local log_max_size local log_max_backups local log_max_age local ipv4 local input_chain_name local input6_chain_name config_get update_frequency $section update_frequency '10s' config_get log_level $section log_level 'info' config_get api_url $section api_url "http://127.0.0.1:8080" config_get api_key $section api_key "API_KEY" config_get_bool ipv6 $section ipv6 '1' config_get deny_action $section deny_action "drop" config_get_bool deny_log $section deny_log '0' config_get log_prefix $section log_prefix "crowdsec: " config_get log_max_size $section log_max_size '100' config_get log_max_backups $section log_max_backups '3' config_get log_max_age $section log_max_age '30' config_get_bool ipv4 $section ipv4 '1' config_get input_chain_name $section input_chain_name "input" config_get input6_chain_name $section input6_chain_name "input" # Create tmp dir & permissions if needed if [ ! -d "${VARCONFIGDIR}" ]; then mkdir -m 0755 -p "${VARCONFIGDIR}" fi; cat > $VARCONFIG <<-EOM mode: nftables pid_dir: /var/run/ update_frequency: $update_frequency daemonize: true log_mode: file log_dir: /var/log/ log_level: $log_level log_compression: true log_max_size: $log_max_size log_max_backups: $log_max_backups log_max_age: $log_max_age api_url: $api_url api_key: $api_key insecure_skip_verify: true disable_ipv6: boolnot($ipv6) deny_action: $deny_action deny_log: bool($deny_log) supported_decisions_type: - ban #to change log prefix deny_log_prefix: "$log_prefix" #to change the blacklists name blacklists_ipv4: crowdsec-blacklists blacklists_ipv6: crowdsec6-blacklists #type of ipset to use ipset_type: nethash #if present, insert rule in those chains iptables_chains: - INPUT # - FORWARD # - DOCKER-USER ## nftables nftables: ipv4: enabled: bool($ipv4) set-only: true table: $TABLE chain: $input_chain_name ipv6: enabled: bool($ipv6) set-only: true table: $TABLE6 chain: $input6_chain_name # packet filter pf: # an empty disables the anchor anchor_name: "" prometheus: enabled: false listen_addr: 127.0.0.1 listen_port: 60601 EOM sed -i "s/bool(1)/true/g" $VARCONFIG sed -i "s/bool(0)/false/g" $VARCONFIG sed -i "s/boolnot(1)/false/g" $VARCONFIG sed -i "s/boolnot(0)/true/g" $VARCONFIG sed -i "s,^\(\s*api_url\s*:\s*\).*\$,\1$api_url," $VARCONFIG sed -i "s,^\(\s*api_key\s*:\s*\).*\$,\1$api_key," $VARCONFIG } init_nftables() { local section="$1" local priority local deny_action local deny_log local log_prefix local ipv4 local ipv6 local filter_input local filter_forward local input_chain_name local forward_chain_name local input6_chain_name local forward6_chain_name local interface local log_term="" config_get priority $section priority "4" config_get deny_action $section deny_action "drop" config_get_bool deny_log $section deny_log '0' config_get log_prefix $section log_prefix "crowdsec: " config_get_bool ipv4 $section ipv4 '1' config_get_bool ipv6 $section ipv6 '1' config_get_bool filter_input $section filter_input '1' config_get_bool filter_forward $section filter_forward '1' config_get input_chain_name $section input_chain_name "input" config_get forward_chain_name $section forward_chain_name "forward" config_get input6_chain_name $section input6_chain_name "input" config_get forward6_chain_name $section forward6_chain_name "forward" config_get interface $section interface 'eth1' if [ "$deny_log" -eq "1" ] ; then local log_term="log prefix \"${log_prefix}\"" fi local interface="${interface// /, }" #as of kernel 3.18 we can delete a table without need to flush it nft delete table ip crowdsec 2>/dev/null nft delete table ip6 crowdsec6 2>/dev/null if [ "$ipv4" -eq "1" ] ; then nft add table ip crowdsec nft add set ip crowdsec crowdsec-blacklists '{ type ipv4_addr; flags timeout; }' if [ "$filter_input" -eq "1" ] ; then nft add chain ip "$TABLE" $input_chain_name "{ type filter hook input priority $priority; policy accept; }" nft add rule ip "$TABLE" $input_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action fi if [ "$filter_forward" -eq "1" ] ; then nft add chain ip "$TABLE" $forward_chain_name "{ type filter hook forward priority $priority; policy accept; }" nft add rule ip "$TABLE" $forward_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action fi fi if [ "$ipv6" -eq "1" ] ; then nft add table ip6 crowdsec6 nft add set ip6 crowdsec6 crowdsec6-blacklists '{ type ipv6_addr; flags timeout; }' if [ "$filter_input" -eq "1" ] ; then nft add chain ip6 "$TABLE6" $input6_chain_name "{ type filter hook input priority $priority; policy accept; }" nft add rule ip6 "$TABLE6" $input6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action fi if [ "$filter_forward" -eq "1" ] ; then nft add chain ip6 "$TABLE6" $forward6_chain_name "{ type filter hook forward priority $priority; policy accept; }" nft add rule ip6 "$TABLE6" $forward6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action fi fi } run_bouncer() { local section="$1" local enabled config_get_bool enabled $section enabled 0 if [ "$enabled" -eq "1" ] ; then init_yaml "$section" init_nftables "$section" procd_open_instance procd_set_param command "$PROG" -c "$VARCONFIG" procd_set_param stdout 1 procd_set_param stderr 1 procd_close_instance fi } start_service() { config_load "${CONFIGURATION}" config_foreach run_bouncer bouncer } service_stopped() { rm $VARCONFIG nft delete table ip crowdsec 2>/dev/null nft delete table ip6 crowdsec6 2>/dev/null }