A CrowdSec Bouncer for MikroTik RouterOS appliance
This repository aim to implement a CrowdSec bouncer for the router Mikrotik to block malicious IP to access your services. For this it leverages Mikrotik API to populate a dynamic Firewall Address List.
For now, this web service is mainly fought to be used as a container.
If you need to build from source, you can get some inspiration from the Dockerfile.
You should have a Mikrotik appliance and a CrowdSec instance running.
The container is available as docker image ghcr.io/funkolab/cs-mikrotik-bouncer
. It must have access to CrowdSec and to Mikrotik.
Generate a bouncer API key following CrowdSec documentation
cscli bouncers add mikrotik-bouncer
CROWDSEC_BOUNCER_API_KEY
, instead of "MyApiKey"docker-compose up bouncer
in the example
directoryIP drop Filter Rules
in input
and forward
Chain with the crowdsec Source Address List
IPv6 drop Filter Rules
in input
and forward
Chain with the crowdsec Source Address List
(if IPv6 used)/ip/firewall/filter/
add action=drop src-address-list=crowdsec chain=input in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"
/ipv6/firewall/filter/
add action=drop src-address-list=crowdsec chain=input in-interface=your-wan-interface place-before=0 comment="crowdsec input drop rules"
add action=drop src-address-list=crowdsec chain=forward in-interface=your-wan-interface place-before=0 comment="crowdsec forward drop rules"
The bouncer configuration is made via environment variables:
Name | Description | Default | Required |
---|---|---|---|
CROWDSEC_BOUNCER_API_KEY |
CrowdSec bouncer API key required to be authorized to request local API | none |
✅ |
CROWDSEC_URL |
Host and port of CrowdSec agent | http://crowdsec:8080/ |
✅ |
CROWDSEC_ORIGINS |
Space separated list of CrowdSec origins to filter from LAPI (EG: "crowdsec cscli") | none |
❌ |
LOG_LEVEL |
Minimum log level for bouncer in zerolog levels | 1 |
❌ |
MIKROTIK_HOST |
Mikrotik appliance address | none |
✅ |
MIKROTIK_USER |
Mikrotik appliance username | none |
✅ |
MIKROTIK_PASS |
Mikrotik appliance password | none |
✅ |
MIKROTIK_TLS |
User TLS to connect to Mikrotik API | true |
❌ |
MIKROTIK_IPV6 |
Enable / Disable IPv6 support | true |
❌ |
Any constructive feedback is welcome, fill free to add an issue or a pull request. I will review it and integrate it to the code.