/cs-mikrotik-bouncer

A CrowdSec bouncer for MikroTik RouterOS appliance

Primary LanguageGoApache License 2.0Apache-2.0

CrowdSec

CrowdSec Mikrotik Bouncer

A CrowdSec Bouncer for MikroTik RouterOS appliance

GitHub GitHub go.mod Go version Go Report Card Maintainability ci GitHub tag (latest SemVer) Docker Image Size (latest semver)

Description

This repository aim to implement a CrowdSec bouncer for the router Mikrotik to block malicious IP to access your services. For this it leverages Mikrotik API to populate a dynamic Firewall Address List.

Usage

For now, this web service is mainly fought to be used as a container.
If you need to build from source, you can get some inspiration from the Dockerfile.

Prerequisites

You should have a Mikrotik appliance and a CrowdSec instance running.
The container is available as docker image ghcr.io/funkolab/cs-mikrotik-bouncer. It must have access to CrowdSec and to Mikrotik.

Generate a bouncer API key following CrowdSec documentation

Procedure

  1. Get a bouncer API key from your CrowdSec with command cscli bouncers add mikrotik-bouncer
  2. Copy the API key printed. You WON'T be able the get it again.
  3. Paste this API key as the value for bouncer environment variable CROWDSEC_BOUNCER_API_KEY, instead of "MyApiKey"
  4. Start bouncer with docker-compose up bouncer in the example directory
  5. Create IP drop Filter Rules in input and forward Chain with the crowdsec Source Address List
  6. Create IPv6 drop Filter Rules in input and forward Chain with the crowdsec Source Address List (if IPv6 used)
/ip/firewall/filter/
add action=drop src-address-list=crowdsec chain=input  in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

/ipv6/firewall/filter/
add action=drop src-address-list=crowdsec chain=input  in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"

Configuration

The bouncer configuration is made via environment variables:

Name Description Default Required
CROWDSEC_BOUNCER_API_KEY CrowdSec bouncer API key required to be authorized to request local API none
CROWDSEC_URL Host and port of CrowdSec agent http://crowdsec:8080/
CROWDSEC_ORIGINS Space separated list of CrowdSec origins to filter from LAPI (EG: "crowdsec cscli") none
LOG_LEVEL Minimum log level for bouncer in zerolog levels 1
MIKROTIK_HOST Mikrotik appliance address none
MIKROTIK_USER Mikrotik appliance username none
MIKROTIK_PASS Mikrotik appliance password none
MIKROTIK_TLS User TLS to connect to Mikrotik API true
MIKROTIK_IPV6 Enable / Disable IPv6 support true

Contribution

Any constructive feedback is welcome, fill free to add an issue or a pull request. I will review it and integrate it to the code.