Snort mailing list archives
Re: Snort inline IPS NFQ iptables
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 01 Apr 2015 13:24:41 -0600
On Wed, 2015-04-01 at 13:47 +0200, subscription sites wrote:
Hello, I'm currently trying to setup the following scenario: - a linux based internet gateway, with 4 interfaces: wan, lan, dmz, management - snort is installed inline with NFQ. (IPS mode) However, I'm struggling with the concept of the iptables setup for snort inline. I've googled a lot about it, and even had a look over the wall at suricata on how they handle it there, but it's still not clear to me. So basically, I get it, you need to divert packets that you want to have filtered by snort inline to a separate queue where an application in userland (being snort here I guess) can inspect the packages. However, on an internet gateway, what I obviously want to do is implement several other iptables rules. So, example, let's say I want to have a ruleset more or less like this, looking at it from the point of view of "incoming over the internet": - allow http to DMZ - allow https to DMZ - allow vpn to DMZ - drop everything else Now, from what I read online, if I insert a queue statement for snort somewhere in between here, then the rules above the queue statement will be executed, packages will then be queued and handled by snort and all the rest (example the drop all statement at the end) will be ignored, since there is no "return from the snort queue to process the rest of the iptables ruleset". So, my question is: how do you do this then? I want to have a ruleset in iptables that allows me to restrict connections (obviously), coming from internet to lan, internet to dmz, dmz to lan, lan to dmz, ... with default drop statements every time as the last rule. Then I want to insert the snort queue rule "somewhere", but make sure that all other rules after this snort queue rule are also still processed. My question in short is: where is this "somewhere"? How do you best do this, keeping in mind this is not an inline IPS with 2 interfaces, where you can just queue the entire INPUT chain and the entire FORWARD chain, but that my setup is an internet gateway with 4 physical interfaces (and perhaps will have some vlan's defined on some of these interfaces in the future also)? Thanks for any help you can provide me! Kind Regards, Peter ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Long story short, the MANGLE tables pass this along like we are thinking: $IPTABLES -t mangle -A FORWARD -j NFQUEUE --queue-num 1 Give that a go and also search the list for "trouble with online mode" James
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort inline IPS NFQ iptables subscription sites (Apr 01)
- Re: Snort inline IPS NFQ iptables James Lay (Apr 01)