[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

James Lay jlay at ...13475...
Tue Nov 29 13:41:03 EST 2016


On 2016-11-29 11:31, J Green wrote:
> Appreciate the response.  Firewalld/iptables is up.  Though the only
> rule I have in there is for access to the Barnyard web gui.
> 
> Thought that rules for inline were added as follows?
> 
> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> iptables -I FORWARD -j NFQUEUE --queue-num 1
> 
> I did have this more granular, only allowing specific ports through
> the bridge, but opened it up for troubleshooting purposes.
> 
> All interfaces are up and respond to pings.  I know that I am missing
> something simple.
> 
> Thank you.

They are added, but once you reboot they are lost.  You'll need to 
either create a script to readd them on boot or use 
iptables-save/iptables-restore commands.

James


> 
> On Tue, Nov 29, 2016 at 9:25 AM, James Lay <jlay at ...13475...>
> wrote:
> 
>> On 2016-11-28 14:28, J Green wrote:
>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
>>> 
>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ no
>> longer
>>> seems to work.  I do not see anything in the logs, etc.
>>> 
>>> Here is how I am running Snort:
>>> 
>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
>>> /etc/snort/snort.conf &
>>> 
>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>>> 
>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
>> snort.us [1]
>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
>>> 
>>> Any input would be appreciated.
>>> 
>>> Thank you.
>>> 
>>> 
>>> 
>>> Links:
>>> ------
>>> [1] http://snort.us
>>> 
>>> 
>> 
> ------------------------------------------------------------------------------
>>> 
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
>>> Snort-users list archive:
>>> 
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [3]
>>> 
>>> Please visit http://blog.snort.org to stay current on all the
>> latest
>>> Snort news!
>> 
>> Make sure your IP tables rules are reapplied on reboot.
>> 
>> James
>> 
>> 
> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [3]
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> 
> 
> 
> Links:
> ------
> [1] http://snort.us
> [2] https://lists.sourceforge.net/lists/listinfo/snort-users
> [3] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-users mailing list