Snort inline IPS NFQ iptables

[subscription sites <subscription.sites () gmail com>]

Hello,




I'm currently trying to setup the following scenario:
- a linux based internet gateway, with 4 interfaces: wan, lan, dmz,
management
- snort is installed inline with NFQ. (IPS mode)

However, I'm struggling with the concept of the iptables setup for snort
inline.


I've googled a lot about it, and even had a look over the wall at suricata
on how they handle it there, but it's still not clear to me.


So basically, I get it, you need to divert packets that you want to have
filtered by snort inline to a separate queue where an application in
userland (being snort here I guess) can inspect the packages.
However, on an internet gateway, what I obviously want to do is implement
several other iptables rules.

So, example, let's say I want to have a ruleset more or less like this,
looking at it from the point of view of "incoming over the internet":

- allow http to DMZ
- allow https to DMZ
- allow vpn to DMZ
- drop everything else


Now, from what I read online, if I insert a queue statement for snort
somewhere in between here, then the rules above the queue statement will be
executed, packages will then be queued and handled by snort and all the
rest (example the drop all statement at the end) will be ignored, since
there is no "return from the snort queue to process the rest of the
iptables ruleset".

So, my question is: how do you do this then?
I want to have a ruleset in iptables that allows me to restrict connections
(obviously), coming from internet to lan, internet to dmz, dmz to lan, lan
to dmz, ... with default drop statements every time as the last rule.
Then I want to insert the snort queue rule "somewhere", but make sure that
all other rules after this snort queue rule are also still processed.

My question in short is: where is this "somewhere"? How do you best do
this, keeping in mind this is not an inline IPS with 2 interfaces, where
you can just queue the entire INPUT chain and the entire FORWARD chain, but
that my setup is an internet gateway with 4 physical interfaces (and
perhaps will have some vlan's defined on some of these interfaces in the
future also)?

Thanks for any help you can provide me!

Kind Regards,



Peter

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!