[Snort-users] Snort inline IPS NFQ iptables

James Lay jlay at ...13475...
Wed Apr 1 15:24:41 EDT 2015


On Wed, 2015-04-01 at 13:47 +0200, subscription sites wrote:
> Hello,
> 
> 
> 
> 
> 
> 
> I'm currently trying to setup the following scenario:
> 
> 
> - a linux based internet gateway, with 4 interfaces: wan, lan, dmz,
> management
> 
> 
> - snort is installed inline with NFQ. (IPS mode)
> 
> 
> 
> However, I'm struggling with the concept of the iptables setup for
> snort inline. 
> 
> 
> 
> 
> I've googled a lot about it, and even had a look over the wall at
> suricata on how they handle it there, but it's still not clear to me.
> 
> 
> 
> 
> So basically, I get it, you need to divert packets that you want to
> have filtered by snort inline to a separate queue where an application
> in userland (being snort here I guess) can inspect the packages.
> 
> 
> However, on an internet gateway, what I obviously want to do is
> implement several other iptables rules.
> 
> 
> 
> So, example, let's say I want to have a ruleset more or less like
> this, looking at it from the point of view of "incoming over the
> internet":
> 
> 
> 
> - allow http to DMZ
> 
> 
> - allow https to DMZ
> 
> 
> - allow vpn to DMZ
> 
> 
> - drop everything else
> 
> 
> 
> 
> Now, from what I read online, if I insert a queue statement for snort
> somewhere in between here, then the rules above the queue statement
> will be executed, packages will then be queued and handled by snort
> and all the rest (example the drop all statement at the end) will be
> ignored, since there is no "return from the snort queue to process the
> rest of the iptables ruleset".
> 
> 
> 
> So, my question is: how do you do this then? 
> 
> 
> I want to have a ruleset in iptables that allows me to restrict
> connections (obviously), coming from internet to lan, internet to dmz,
> dmz to lan, lan to dmz, ... with default drop statements every time as
> the last rule.
> 
> 
> Then I want to insert the snort queue rule "somewhere", but make sure
> that all other rules after this snort queue rule are also still
> processed.
> 
> 
> 
> My question in short is: where is this "somewhere"? How do you best do
> this, keeping in mind this is not an inline IPS with 2 interfaces,
> where you can just queue the entire INPUT chain and the entire FORWARD
> chain, but that my setup is an internet gateway with 4 physical
> interfaces (and perhaps will have some vlan's defined on some of these
> interfaces in the future also)?
> 
> 
> 
> Thanks for any help you can provide me!
> 
> 
> 
> Kind Regards,
> 
> 
> 
> 
> 
> Peter
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Long story short, the MANGLE tables pass this along like we are
thinking:

$IPTABLES -t mangle -A FORWARD -j NFQUEUE --queue-num 1

Give that a go and also search the list for "trouble with online mode"

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150401/3ec85734/attachment.html>


More information about the Snort-users mailing list