[Snort-users] snort-inline and iptables INPUT chain
lhaond at ...13100...
Mon Feb 28 10:50:22 EST 2005
I'm new to Snort and the iptables QUEUE target, though i use iptables
since long time...
I've setup a firewall on a box (On Lan / Two Internet Access), using
nat/conntrack and patched iproute2/kernel (multipath gateway)
I've installed snort 2.3.0 and barnyard on it, i launch snort with :
/usr/sbin/snort -QDq -c /etc/snort.conf (module ip_queue is loaded)
I've taken my firewall/iptables scripts and replaced all "-j ACCEPT"
with "-j QUEUE" :
- Boxes from lan network can acces internet and snort seems to be
running fine ( i've some alert about using aim chat, etc...)
- but i can't connect to the box (running snort/firewall) , i've no more
access to ssh running on port 22.. (but not alert about theses connections)
(no more success if i change the sshd port)
- i can still ping it (it triggers icmp alerts).
Reading older posts, i do not really understand if sort-inline does only
work with the FORWARD chain ?
so do i need to replace all "-j ACCEPT" with "-j QUEUE" only for FORWARD
Or is it a problem/option missing on stream4 preprocessor, or a probleme
with ip_conntrack ?
Thanks for any suggestions...
More information about the Snort-users