[Oisf-users] Suricata 2.0.2 and NFLOG
Eric Leblond
eric at regit.org
Fri Jun 27 16:31:56 UTC 2014
Hello,
On Fri, 2014-06-27 at 14:55 +0100, Phil Daws wrote:
> Hello:
>
> I see that in the latest version it now supports NFLOG but am a little unsure of how one actually uses it. Currently my lab firewall, in-line mode, uses rules like:
>
> -A FORWARD -i eth0 -o eth1 -m mark ! --mark 0x1/0x1 -j NFQUEUE
>
> if switching to NFLOG then would I use:
>
> -A FORWARD -d 192.168.1.10 -m multiport -m tcp -p tcp --dports 25,80 -j NFLOG --nflog-group 2
> -A FORWARD -d 192.168.1.10 -m multiport -m tcp -p tcp --dports 25,80 -j ACCEPT
>
> so that it would only inspect a packet we are actually going to allow through ?
Not really, it will inspect all packets matching the iptables rules
using the correct NFLOG.
The easiest ruleset for suricata in NFLOG mode could be:
-I FORWARD -j NFLOG --nflog-group 2
You put a rule at start and send everything.
A better way would be to do a dedicated chain:
iptables -N NFACCEPT
iptables -A NFACCEPT -j NFLOG --nflog-group 2
iptables -A NFACCEPT -j ACCEPT
and then use '-j NFACCEPT' instead of '-j ACCEPT' in rules.
> Does Suricata still need to be in 'repeat' mode as it does for NFQ ?
No, as the NFLOG is not a terminal target there is no need for a
'repeat' mode.
BR,
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list