[Oisf-users] Suricata 2.0.2 and NFLOG
Victor Julien
lists at inliniac.net
Sat Jul 5 08:23:19 UTC 2014
On 06/27/2014 06:31 PM, Eric Leblond wrote:
> Hello,
>
> On Fri, 2014-06-27 at 14:55 +0100, Phil Daws wrote:
>> Hello:
>>
>> I see that in the latest version it now supports NFLOG but am a little unsure of how one actually uses it. Currently my lab firewall, in-line mode, uses rules like:
>>
>> -A FORWARD -i eth0 -o eth1 -m mark ! --mark 0x1/0x1 -j NFQUEUE
>>
>> if switching to NFLOG then would I use:
>>
>> -A FORWARD -d 192.168.1.10 -m multiport -m tcp -p tcp --dports 25,80 -j NFLOG --nflog-group 2
>> -A FORWARD -d 192.168.1.10 -m multiport -m tcp -p tcp --dports 25,80 -j ACCEPT
>>
>> so that it would only inspect a packet we are actually going to allow through ?
>
> Not really, it will inspect all packets matching the iptables rules
> using the correct NFLOG.
>
> The easiest ruleset for suricata in NFLOG mode could be:
>
> -I FORWARD -j NFLOG --nflog-group 2
>
> You put a rule at start and send everything.
>
> A better way would be to do a dedicated chain:
>
> iptables -N NFACCEPT
> iptables -A NFACCEPT -j NFLOG --nflog-group 2
> iptables -A NFACCEPT -j ACCEPT
>
> and then use '-j NFACCEPT' instead of '-j ACCEPT' in rules.
>
>> Does Suricata still need to be in 'repeat' mode as it does for NFQ ?
>
> No, as the NFLOG is not a terminal target there is no need for a
> 'repeat' mode.
See also: http://blog.lupiae.org/capture-packets-from-nflog-in-suricata/
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list