snort-inline and iptables INPUT chain

[Laurent Haond <lhaond () bearstech com>]

Hi all,

I'm new to Snort and the iptables QUEUE target, though i use iptables 
since long time...


I've setup a firewall on a box (On Lan / Two Internet Access), using 
nat/conntrack and patched iproute2/kernel (multipath gateway)
I've installed snort 2.3.0 and barnyard on it, i launch snort with : 
/usr/sbin/snort -QDq -c /etc/snort.conf (module ip_queue is loaded)

I've taken my firewall/iptables scripts and replaced all  "-j ACCEPT" 
with "-j QUEUE" :
- Boxes from lan network can acces internet and snort seems to be 
running fine ( i've some alert about using aim chat, etc...)
- but i can't connect to the box (running snort/firewall) , i've no more 
access to ssh running on port 22.. (but not alert about theses connections)
  (no more success if i change the sshd port)
- i can still ping it (it triggers icmp alerts).

Reading older posts, i do not really understand if sort-inline does only 
work with the FORWARD chain ?
so do i need to replace all "-j ACCEPT" with "-j QUEUE" only for FORWARD 
chain ?
Or is it a problem/option missing on stream4 preprocessor, or a probleme 
with ip_conntrack ?

Thanks for any suggestions...

Best Regards
Laurent



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users