<div dir="ltr"><div>Upon reboot, I enter those (2) iptables commands manually, before running barnyard. <br><br>Still does not work.<br><br></div><div><br>Thank you.<br></div><div><div><br><br><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 29, 2016 at 10:41 AM, James Lay <span dir="ltr"><<a href="mailto:jlay@...13475..." target="_blank">jlay@...13475...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
On 2016-11-29 11:31, J Green wrote:<br>
> Appreciate the response.  Firewalld/iptables is up.  Though the only<br>
> rule I have in there is for access to the Barnyard web gui.<br>
><br>
> Thought that rules for inline were added as follows?<br>
><br>
> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1<br>
> iptables -I FORWARD -j NFQUEUE --queue-num 1<br>
><br>
> I did have this more granular, only allowing specific ports through<br>
> the bridge, but opened it up for troubleshooting purposes.<br>
><br>
> All interfaces are up and respond to pings.  I know that I am missing<br>
> something simple.<br>
><br>
> Thank you.<br>
<br>
</span>They are added, but once you reboot they are lost.  You'll need to<br>
either create a script to readd them on boot or use<br>
iptables-save/iptables-restore commands.<br>
<br>
James<br>
<div><div class="h5"><br>
<br>
><br>
> On Tue, Nov 29, 2016 at 9:25 AM, James Lay <<a href="mailto:jlay@...13475...">jlay@...13475...</a>><br>
> wrote:<br>
><br>
>> On 2016-11-28 14:28, J Green wrote:<br>
>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).<br>
>>><br>
>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ no<br>
>> longer<br>
>>> seems to work.  I do not see anything in the logs, etc.<br>
>>><br>
>>> Here is how I am running Snort:<br>
>>><br>
>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c<br>
>>> /etc/snort/snort.conf &<br>
>>><br>
>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1<br>
>>> iptables -I FORWARD -j NFQUEUE --queue-num 1<br>
>>><br>
>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f<br>
>> <a href="http://snort.us" rel="noreferrer" target="_blank">snort.us</a> [1]<br>
>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort<br>
>>><br>
>>> Any input would be appreciated.<br>
>>><br>
>>> Thank you.<br>
>>><br>
>>><br>
>>><br>
>>> Links:<br>
>>> ------<br>
>>> [1] <a href="http://snort.us" rel="noreferrer" target="_blank">http://snort.us</a><br>
>>><br>
>>><br>
>><br>
> ------------------------------<wbr>------------------------------<wbr>------------------<br>
>>><br>
>>> ______________________________<wbr>_________________<br>
>>> Snort-users mailing list<br>
>>> <a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...3783...<wbr>net</a><br>
>>> Go to this URL to change user options or unsubscribe:<br>
</div></div>>>> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a> [2]<br>
<span class="">>>> Snort-users list archive:<br>
>>><br>
>> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-users</a><br>
</span>>> [3]<br>
<span class="">>>><br>
>>> Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the<br>
>> latest<br>
>>> Snort news!<br>
>><br>
>> Make sure your IP tables rules are reapplied on reboot.<br>
>><br>
>> James<br>
>><br>
>><br>
> ------------------------------<wbr>------------------------------<wbr>------------------<br>
>> ______________________________<wbr>_________________<br>
>> Snort-users mailing list<br>
>> <a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...843.....3783...<wbr>net</a><br>
>> Go to this URL to change user options or unsubscribe:<br>
</span>>> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a> [2]<br>
<span class="">>> Snort-users list archive:<br>
>> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-users</a><br>
</span>>> [3]<br>
<span class="">>><br>
>> Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest<br>
>> Snort news!<br>
><br>
><br>
><br>
</span><span class="">> Links:<br>
> ------<br>
> [1] <a href="http://snort.us" rel="noreferrer" target="_blank">http://snort.us</a><br>
</span>> [2] <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
> [3] <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-users</a><br>
<div class="HOEnZb"><div class="h5">><br>
> ------------------------------<wbr>------------------------------<wbr>------------------<br>
><br>
> ______________________________<wbr>_________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...7494...83...<wbr>net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-users</a><br>
><br>
> Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest<br>
> Snort news!<br>
<br>
------------------------------<wbr>------------------------------<wbr>------------------<br>
______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...3783...<wbr>net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
</div></div></blockquote></div><br></div>