[Snort-users] snort-inline and iptables INPUT chain

Victor Julien victor at ...12319...
Mon Feb 28 12:45:51 EST 2005


On Monday 28 February 2005 19:47, Laurent Haond wrote:
> Hi all,
>
> I'm new to Snort and the iptables QUEUE target, though i use iptables
> since long time...
>
>
> I've setup a firewall on a box (On Lan / Two Internet Access), using
> nat/conntrack and patched iproute2/kernel (multipath gateway)
> I've installed snort 2.3.0 and barnyard on it, i launch snort with :
> /usr/sbin/snort -QDq -c /etc/snort.conf (module ip_queue is loaded)
>
> I've taken my firewall/iptables scripts and replaced all  "-j ACCEPT"
> with "-j QUEUE" :
> - Boxes from lan network can acces internet and snort seems to be
> running fine ( i've some alert about using aim chat, etc...)
> - but i can't connect to the box (running snort/firewall) , i've no more
> access to ssh running on port 22.. (but not alert about theses connections)
>    (no more success if i change the sshd port)
> - i can still ping it (it triggers icmp alerts).
>

Hmmm, the only thing i can think of is that you forgot to queue the traffic on 
the OUTPUT chain.

> Reading older posts, i do not really understand if sort-inline does only
> work with the FORWARD chain ?

No it works on the other chains as well.

> so do i need to replace all "-j ACCEPT" with "-j QUEUE" only for FORWARD
> chain ?
> Or is it a problem/option missing on stream4 preprocessor, or a probleme
> with ip_conntrack ?

Can you show us the iptables rules?

Regards,
Victor

>
> Thanks for any suggestions...
>
> Best Regards
> Laurent
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list