[Oisf-users] NFQ repeat mode and iptables marks
Aleksey
unite at openmailbox.org
Wed Aug 5 13:36:01 UTC 2015
Hi guys!
I have quite a big iptables rulebase and want only certain traffic to
pass through suricata. My idea is to mark the traffic I need in the
mangle table and then to forward only specific traffic containing
certain mark to suricata, which should check it, re-mark with another
mark and return back to iptables. However, I am a bit confused with
these marks and can see that at the moment I'm surely mistaken
somewhere. So, the example mangle rule is:
iptables -t mangle -A PREROUTING -d 192.168.1.10/32 -p tcp -m tcp
--dport 80 -j MARK --set-mark 2
Then, the rule which should direct traffic to Suri:
iptables -A FORWARD -m mark --mark 2 -j NFQUEUE --queue-num 0
And example rule which should (for example) reject some traffic to this
host:
iptables -A FORWARD -s 10.10.1.5/32 -d 192.168.1.10/32 -p tcp -m tcp
--dport 80 -j DROP
My Suricata config for repeat mode is:
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1
Any ideas?
Thanks in advance!
--
With kind regards,
Aleksey
More information about the Oisf-users
mailing list