[Oisf-users] Make a Ubuntu as a gateway router + Suricata inline probe.

Liao Zhuodi liao_zd at foxmail.com
Thu Jan 22 10:38:04 UTC 2015


Hi guys,


I have a ubuntu box works as a router already (following this instruction: https://help.ubuntu.com/community/Router ), 
and install Suricata 2.1beta2 with NFQueue support, but I a problem to make it work as inline mode ( instruction here - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux ‍), from "fast.log" I can see alert or [wDrop], but the packages are not dropped, so i guess it must be some problem with my suricata settings.


WAN: wlan0 - internet(wireless)
LAN:  eth0 - intranet gateway(IP: 10.10.10.1) 



my NIC setting: 
# /etc/network/interfaces
auto lo eth0 wlan0
iface lo inet loopback
# eth0/LAN network
iface eth0 inet static
    address 10.10.10.1
    netmask 255.255.255.0‍






The iptables works as router is:
$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 542 packets, 54986 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
27284   25M ACCEPT     all  --  wlan0  eth0    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
27753 4702K ACCEPT     all  --  eth0   wlan0   0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4


Chain OUTPUT (policy ACCEPT 372 packets, 212K bytes)
 pkts bytes target     prot opt in     out     source               destination‍



But once I add this NFQUEUE to the rules, or flush other rules and use this rule only, the router doesn't work, intranet computer can't access internet.
sudo iptables -I FORWARD -j NFQUEUE‍


Seems that traffic never go to NFQUEUE target, How can i make this IPS/inline suricata work and router functional as well? thanks


liao zhuodi
liao_zd at foxmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150122/bade0f37/attachment.html>


More information about the Oisf-users mailing list