[Oisf-users] Suricata 2.0.2 and NFLOG

Eric Leblond eric at regit.org
Fri Jun 27 16:31:56 UTC 2014


On Fri, 2014-06-27 at 14:55 +0100, Phil Daws wrote:
> Hello:
> I see that in the latest version it now supports NFLOG but am a little unsure of how one actually uses it.  Currently my lab firewall, in-line mode, uses rules like:
> -A FORWARD -i eth0 -o eth1 -m mark ! --mark 0x1/0x1 -j NFQUEUE
> if switching to NFLOG then would I use:
> -A FORWARD -d -m multiport -m tcp -p tcp --dports 25,80 -j NFLOG --nflog-group 2
> -A FORWARD -d -m multiport -m tcp -p tcp --dports 25,80 -j ACCEPT
> so that it would only inspect a packet we are actually going to allow through ? 

Not really, it will inspect all packets matching the iptables rules
using the correct NFLOG.

The easiest ruleset for suricata in NFLOG mode could be:

-I FORWARD -j NFLOG --nflog-group 2

You put a rule at start and send everything.

A better way would be to do a dedicated chain:

iptables -N NFACCEPT
iptables -A NFACCEPT -j NFLOG --nflog-group 2
iptables -A NFACCEPT -j ACCEPT

and then use '-j NFACCEPT' instead of '-j ACCEPT' in rules.

> Does Suricata still need to be in 'repeat' mode as it does for NFQ ?

No, as the NFLOG is not a terminal target there is no need for a
'repeat' mode.

Eric Leblond <eric at regit.org>

More information about the Oisf-users mailing list