gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
be3a367e18
secubox-openwrt/package/secubox/secubox-app-crowdsec-bouncer/files/crowdsec-bouncer.defaults
CyberMind-FR 9b59b55c9e feat: Add secubox-app-crowdsec-bouncer wrapper package (v0.0.31) 
Create SecuBox wrapper for CrowdSec Firewall Bouncer with enhanced
automation and configuration for OpenWrt routers.

Package Structure:
- Lightweight wrapper depending on upstream crowdsec-firewall-bouncer
- No compilation needed (PKG_ARCH=all)
- Enhanced UCI configuration with router-optimized defaults
- Automatic bouncer registration via uci-defaults script

Files Created:
- Makefile: OpenWrt package definition with dependencies
- README.md: Comprehensive documentation (configuration, troubleshooting)
- files/crowdsec-bouncer.config: Enhanced UCI config template
- files/crowdsec-bouncer.defaults: Auto-registration and setup script

Features:
- Auto-detection of LAN/WAN interfaces
- Automatic API key generation and registration with CrowdSec LAPI
- nftables kernel module loading
- Configures IPv4/IPv6 filtering on INPUT/FORWARD chains
- Integrates with existing luci-app-crowdsec-dashboard

Configuration Highlights:
- Default interfaces: br-lan, eth1
- Logging enabled by default
- Update frequency: 10s
- Deny action: drop
- Both IPv4 and IPv6 enabled

Dependencies:
- crowdsec-firewall-bouncer (upstream from feeds/packages)
- crowdsec (SecuBox package)
- nftables
- uci + libuci

Note: Build requires rsync for OpenWrt SDK perl dependency.
Package ready for integration once build environment is complete.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-06 19:45:25 +01:00

155 lines
4.2 KiB
Bash
Raw Blame History

#!/bin/sh
#
# CrowdSec Firewall Bouncer - UCI Defaults Script
# Automatically configures and registers the firewall bouncer on first install
#
BOUNCER_NAME="crowdsec-firewall-bouncer"
CONFIG_FILE="/etc/config/crowdsec"
BOUNCER_CONFIG="/etc/config/crowdsec-bouncer"
# Function to check if CrowdSec is installed and running
check_crowdsec() {
if ! command -v cscli >/dev/null 2>&1; then
echo "CrowdSec (cscli) not found. Please install crowdsec first."
return 1
fi
# Check if LAPI is reachable
if ! cscli lapi status >/dev/null 2>&1; then
echo "CrowdSec LAPI not running. Start crowdsec service first."
return 1
fi
return 0
}
# Function to register bouncer and get API key
register_bouncer() {
local api_key
# Check if bouncer already registered
if cscli bouncers list | grep -q "$BOUNCER_NAME"; then
echo "Bouncer '$BOUNCER_NAME' already registered"
# Try to get existing key (note: cscli doesn't show keys after creation)
return 0
fi
# Register new bouncer
echo "Registering bouncer '$BOUNCER_NAME' with CrowdSec LAPI..."
api_key=$(cscli bouncers add "$BOUNCER_NAME" -o raw 2>/dev/null)
if [ -n "$api_key" ] && [ "$api_key" != "null" ]; then
echo "Bouncer registered successfully"
# Update UCI config with API key
uci set crowdsec.bouncer.api_key="$api_key"
uci commit crowdsec
return 0
else
echo "Failed to register bouncer"
return 1
fi
}
# Function to detect network interfaces
detect_interfaces() {
local interfaces=""
local lan_iface
local wan_iface
# Get LAN interface
lan_iface=$(uci -q get network.lan.device)
[ -z "$lan_iface" ] && lan_iface=$(uci -q get network.lan.ifname)
[ -z "$lan_iface" ] && lan_iface="br-lan"
# Get WAN interface
wan_iface=$(uci -q get network.wan.device)
[ -z "$wan_iface" ] && wan_iface=$(uci -q get network.wan.ifname)
[ -z "$wan_iface" ] && wan_iface="eth1"
interfaces="$lan_iface $wan_iface"
echo "$interfaces"
}
# Function to merge bouncer config into main crowdsec config
merge_config() {
# Check if bouncer section already exists in main config
if ! uci -q get crowdsec.bouncer >/dev/null 2>&1; then
echo "Creating bouncer section in /etc/config/crowdsec..."
# Copy from template if it exists
if [ -f "$BOUNCER_CONFIG" ]; then
# Read values from bouncer config template
uci -q import crowdsec < "$BOUNCER_CONFIG"
else
# Create basic bouncer section
uci set crowdsec.bouncer=bouncer
uci set crowdsec.bouncer.enabled='0'
uci set crowdsec.bouncer.ipv4='1'
uci set crowdsec.bouncer.ipv6='1'
uci set crowdsec.bouncer.api_url='http://127.0.0.1:8080/'
uci set crowdsec.bouncer.update_frequency='10s'
uci set crowdsec.bouncer.deny_action='drop'
uci set crowdsec.bouncer.deny_log='1'
uci set crowdsec.bouncer.log_prefix='CrowdSec: '
uci set crowdsec.bouncer.log_level='info'
uci set crowdsec.bouncer.filter_input='1'
uci set crowdsec.bouncer.filter_forward='1'
fi
# Auto-detect and set interfaces
local ifaces
ifaces=$(detect_interfaces)
uci delete crowdsec.bouncer.interface 2>/dev/null
for iface in $ifaces; do
uci add_list crowdsec.bouncer.interface="$iface"
done
uci commit crowdsec
fi
}
# Function to load nftables kernel modules
load_nftables_modules() {
modprobe nf_tables 2>/dev/null
modprobe nft_chain_nat 2>/dev/null
modprobe nf_nat 2>/dev/null
}
# Main execution
main() {
echo "Configuring CrowdSec Firewall Bouncer..."
# Merge configuration
merge_config
# Load required kernel modules
load_nftables_modules
# Check if CrowdSec is available
if ! check_crowdsec; then
echo "CrowdSec not ready. Bouncer registration skipped."
echo "Run 'cscli bouncers add $BOUNCER_NAME' manually after starting crowdsec."
exit 0
fi
# Register bouncer
if register_bouncer; then
echo "Bouncer configuration complete"
echo "Enable the bouncer with: uci set crowdsec.bouncer.enabled='1'; uci commit crowdsec"
echo "Start the service with: /etc/init.d/crowdsec-firewall-bouncer enable && /etc/init.d/crowdsec-firewall-bouncer start"
else
echo "Bouncer registration failed. You may need to register manually:"
echo " cscli bouncers add $BOUNCER_NAME"
fi
}
# Run main function
main
# Cleanup: remove this script after execution
rm -f /etc/uci-defaults/99_crowdsec-bouncer
exit 0
Reference in New Issue View Git Blame Copy Permalink