Skip to content

crowdsec-firewall-bouncer-iptables fails silently on Ubuntu 26.04 #503

Description

@adrianrudnik

What happened?

Happend on a bare metal machine, re-checked it with a clean dockered ubuntu:26.04. While being messy in basic install, same thing happend during post-install.

Following https://docs.crowdsec.net/u/getting_started/installation/linux/, everything works fine, until you reach the last one:

sudo apt install crowdsec-firewall-bouncer-iptables

This will install, with a single line indicating something went wrong:

Installing:                     
  crowdsec-firewall-bouncer-iptables

Summary:
  Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 6
  Download size: 4,403 kB
  Space needed: 15.3 MB / 1,021 GB available

Get:1 https://packagecloud.io/crowdsec/crowdsec/any any/main amd64 crowdsec-firewall-bouncer-iptables amd64 0.0.34 [4,403 kB]
Fetched 4,403 kB in 1s (5,827 kB/s)                          
Selecting previously unselected package crowdsec-firewall-bouncer-iptables.
(Reading database… 99187 files and directories currently installed.)
Preparing to unpack …/crowdsec-firewall-bouncer-iptables_0.0.34_amd64.deb…
Unpacking crowdsec-firewall-bouncer-iptables (0.0.34)…
Setting up crowdsec-firewall-bouncer-iptables (0.0.34)…
cscli/crowdsec is present, generating API key
API Key successfully created
install: No such file or directory
Created symlink '/etc/systemd/system/multi-user.target.wants/crowdsec-firewall-bouncer.service' → '/etc/systemd/system/crowdsec-firewall-bouncer.service'.
Scanning processes...                                                                                                                                                                                                                                                                                        
Scanning linux images...                                                                                                                                                                                                                                                                                     

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

In case you do not see it, its install: No such file or directory.

It creates the API key but leaves api_key: ${API_KEY} within the /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.

Whats problematic about this is: Nothing fails directly. apt completes. crowdsec does not mention anything special, sudo systemctl status crowdsec --no-pager is clean.

I just noticed it during the manual check, asking myself why a temporaty ban on my own IP did not work.

Finally looking at the separate service revealed more details, but no reason:

Jun 25 21:00:26 kilo crowdsec-firewall-bouncer[39181]: time="2026-06-25T21:00:26+02:00" level=fatal msg="process terminated with error: bouncer stream halted"
Jun 25 21:00:26 kilo systemd[1]: crowdsec-firewall-bouncer.service: Main process exited, code=exited, status=1/FAILURE
Jun 25 21:00:26 kilo systemd[1]: crowdsec-firewall-bouncer.service: Failed with result 'exit-code'.

I had to go through /var/log/crowdsec-firewall-bouncer.log to see an indication:

time="2026-06-25T21:04:03+02:00" level=error msg="API error: access forbidden"

So basically the normal installation process advertised on your site will not protect anything, if not manually corrected and "perceived" by the user. Not sure everyone checks a systemctl --failed right after installation.

What did you expect to happen?

Set-up the system correctly.

How can we reproduce it (as minimally and precisely as possible)?

docker run --rm -it --privileged ubuntu:26.04 bash

apt update
apt install -y curl gnupg lsb-release ca-certificates apt-transport-https
curl -s https://install.crowdsec.net | sh
apt install crowdsec

# ignore dpkg failure, systemctl will be missing

apt install crowdsec-firewall-bouncer-iptables

cat /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

Anything else we need to know?

No response

version

0.0.25-5build1

crowdsec version

crowdsec version: 1.7.8

OS version

Details
# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 26.04 LTS"
NAME="Ubuntu"
VERSION_ID="26.04"
VERSION="26.04 LTS (Resolute Raccoon)"
VERSION_CODENAME=resolute
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=resolute
LOGO=ubuntu-logo

$ uname -a
Linux kilo 7.0.0-22-generic #22-Ubuntu SMP PREEMPT_DYNAMIC Mon May 25 15:54:34 UTC 2026 x86_64 GNU/Linux
</details>

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions