[Oisf-users] nfq_set_mark question

kay kay.diam at gmail.com
Fri Jul 6 12:09:51 UTC 2012 

Dear community,

I would like to send all "bad" traffic to another server using mark
capability, but always got:
Packet seems already treated by suricata

Here are my iptables rules:

iptables -t nat -A PREROUTING -p tcp -m mark --mark 0x1 -m tcp --dport
80 -j DNAT --to-destination HONEYPOT_IP
iptables -t nat -A PREROUTING -p tcp -m mark ! --mark 0x1/0x1 -m tcp
--dport 80 -j NFQUEUE --queue-num 0
iptables -t nat -A POSTROUTING -d 172.16.98.64/32 -p tcp -m mark
--mark 0x1 -m tcp --dport 80 -j SNAT --to-source SERVERIP

Here are nfq settings:
nfq:
  mode: repeat

Here is suricata rule:
pass tcp any any -> any any (content: "TEST"; msg: "TEST was
redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)

------------------------------------------------------------------------------------------------------------------------

Also I tried to use rules without prerouting and just catch the marked
packets with pass rule:

iptables -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j
NFQUEUE --queue-num 0
iptables -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT

But iptables -nvL showed that there are no any traffic in second table:
------------------------------------------------------------------------------------------------------------------------
Chain INPUT (policy ACCEPT 975 packets, 82310 bytes)
 pkts bytes target     prot opt in     out     source               destination
  385 43890 NFQUEUE    tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           mark match !0x1/0x1 tcp dpt:80 NFQUEUE num 0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           mark match 0x1/0x1 tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 595 packets, 205K bytes)
 pkts bytes target     prot opt in     out     source               destination
------------------------------------------------------------------------------------------------------------------------
When I use drop suricata rule with INPUT iptables chain:
drop tcp any any -> any any (content: "TEST"; msg: "TEST was
redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)
Traffic with TEST became dropped.

For some reason it cannot be dropped when I use PREROUTING chain...

Why pass rule with nfq_set_mark doesn't work?

More information about the Oisf-users mailing list