[Snort-users] Snort inline IPS NFQ iptables

subscription sites subscription.sites at ...11827...
Wed Apr 1 07:47:05 EDT 2015


Hello,




I'm currently trying to setup the following scenario:
- a linux based internet gateway, with 4 interfaces: wan, lan, dmz,
management
- snort is installed inline with NFQ. (IPS mode)

However, I'm struggling with the concept of the iptables setup for snort
inline.


I've googled a lot about it, and even had a look over the wall at suricata
on how they handle it there, but it's still not clear to me.


So basically, I get it, you need to divert packets that you want to have
filtered by snort inline to a separate queue where an application in
userland (being snort here I guess) can inspect the packages.
However, on an internet gateway, what I obviously want to do is implement
several other iptables rules.

So, example, let's say I want to have a ruleset more or less like this,
looking at it from the point of view of "incoming over the internet":

- allow http to DMZ
- allow https to DMZ
- allow vpn to DMZ
- drop everything else


Now, from what I read online, if I insert a queue statement for snort
somewhere in between here, then the rules above the queue statement will be
executed, packages will then be queued and handled by snort and all the
rest (example the drop all statement at the end) will be ignored, since
there is no "return from the snort queue to process the rest of the
iptables ruleset".

So, my question is: how do you do this then?
I want to have a ruleset in iptables that allows me to restrict connections
(obviously), coming from internet to lan, internet to dmz, dmz to lan, lan
to dmz, ... with default drop statements every time as the last rule.
Then I want to insert the snort queue rule "somewhere", but make sure that
all other rules after this snort queue rule are also still processed.

My question in short is: where is this "somewhere"? How do you best do
this, keeping in mind this is not an inline IPS with 2 interfaces, where
you can just queue the entire INPUT chain and the entire FORWARD chain, but
that my setup is an internet gateway with 4 physical interfaces (and
perhaps will have some vlan's defined on some of these interfaces in the
future also)?

Thanks for any help you can provide me!

Kind Regards,



Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150401/1dde7416/attachment.html>


More information about the Snort-users mailing list