cs-mikrotik-bouncer

command module

v0.5.0 Latest Latest Go to latest Published: Jul 24, 2024 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/funkolab/cs-mikrotik-bouncer

Links

Open Source Insights

README ¶

CrowdSec

CrowdSec Mikrotik Bouncer

A CrowdSec Bouncer for MikroTik RouterOS appliance

GitHub GitHub go.mod Go version GitHub tag (latest SemVer) Docker Image Size (latest semver)

Description

This repository aim to implement a CrowdSec bouncer for the router Mikrotik to block malicious IP to access your services. For this it leverages Mikrotik API to populate a dynamic Firewall Address List.

Usage

For now, this web service is mainly fought to be used as a container.
If you need to build from source, you can get some inspiration from the Dockerfile.

Prerequisites

You should have a Mikrotik appliance and a CrowdSec instance running.
The container is available as docker image ghcr.io/funkolab/cs-mikrotik-bouncer. It must have access to CrowdSec and to Mikrotik.

Generate a bouncer API key following CrowdSec documentation

Procedure

Get a bouncer API key from your CrowdSec with command cscli bouncers add mikrotik-bouncer
Copy the API key printed. You WON'T be able the get it again.
Paste this API key as the value for bouncer environment variable CROWDSEC_BOUNCER_API_KEY, instead of "MyApiKey"
Start bouncer with docker-compose up bouncer in the example directory
Create IP drop Filter Rules in input and forward Chain with the crowdsec Source Address List
Create IPv6 drop Filter Rules in input and forward Chain with the crowdsec Source Address List (if IPv6 used)

/ip/firewall/filter/
add action=drop src-address-list=crowdsec chain=input  in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

/ipv6/firewall/filter/
add action=drop src-address-list=crowdsec chain=input  in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

Configuration

The bouncer configuration is made via environment variables:

Name	Description	Default	Required
`CROWDSEC_BOUNCER_API_KEY`	CrowdSec bouncer API key required to be authorized to request local API	`none`	✅
`CROWDSEC_URL`	Host and port of CrowdSec agent	`http://crowdsec:8080/`	✅
`CROWDSEC_ORIGINS`	Space separated list of CrowdSec origins to filter from LAPI (EG: "crowdsec cscli")	`none`	❌
`LOG_LEVEL`	Minimum log level for bouncer in zerolog levels	`1`	❌
`MIKROTIK_HOST`	Mikrotik appliance address	`none`	✅
`MIKROTIK_USER`	Mikrotik appliance username	`none`	✅
`MIKROTIK_PASS`	Mikrotik appliance password	`none`	✅
`MIKROTIK_TLS`	User TLS to connect to Mikrotik API	`true`	❌
`MIKROTIK_IPV6`	Enable / Disable IPv6 support	`true`	❌

Contribution

Any constructive feedback is welcome, fill free to add an issue or a pull request. I will review it and integrate it to the code.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL