[Oisf-users] Make a Ubuntu as a gateway router + Suricata inline probe.

unite unite at openmailbox.org
Thu Jan 22 11:01:09 UTC 2015 

On 2015-01-22 12:38, Liao Zhuodi wrote:
> Hi guys,
> 
> I have a ubuntu box works as a router already (following this
> instruction: https://help.ubuntu.com/community/Router ),
> and install Suricata 2.1beta2 with NFQueue support, but I a problem to
> make it work as inline mode ( instruction here -
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
> ‍), from "fast.log" I can see alert or [wDrop], but the packages are
> not dropped, so i guess it must be some problem with my suricata
> settings.
> 
> WAN: wlan0 - internet(wireless)
> LAN: eth0 - intranet gateway(IP: 10.10.10.1)
> 
> my NIC setting:
> # /etc/network/interfaces
> 
> auto lo eth0 wlan0
> iface lo inet loopback
> # eth0/LAN network
> iface eth0 inet static
>  address 10.10.10.1
>  netmask 255.255.255.0‍
> 
> The iptables works as router is:
> 
> $ sudo iptables -vnL
> Chain INPUT (policy ACCEPT 542 packets, 54986 bytes)
>  pkts bytes target prot opt in out source destination
> 
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target prot opt in out source destination
> 27284 25M ACCEPT all -- wlan0 eth0 0.0.0.0/0 0.0.0.0/0 ctstate
> RELATED,ESTABLISHED
> 27753 4702K ACCEPT all -- eth0 wlan0 0.0.0.0/0 0.0.0.0/0
>  0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
> 
> Chain OUTPUT (policy ACCEPT 372 packets, 212K bytes)
>  pkts bytes target prot opt in out source destination‍
> 
> But once I add this NFQUEUE to the rules, or flush other rules and use
> this rule only, the router doesn't work, intranet computer can't
> access internet.
> sudo iptables -I FORWARD -j NFQUEUE‍
> 
> Seems that traffic never go to NFQUEUE target, How can i make this
> IPS/inline suricata work and router functional as well? thanks
> 
> liao zhuodi
> liao_zd at foxmail.com
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/


Hi Liao!

First of all, in the iptables output  you've posted I can see no NFQUEUE 
rule. So if you would like to use the nfqueue mode, your iptables should 
contain rule like this:

iptables -A FORWARD <your_params> -j NFQUEUE --queue-num 0

The default queue number for suricata is 0.

Also note, that if you have that rule in iptables chain and your 
suricata is not started packets would be just dropped because no one 
listens to them. I guess you applied that rule while your suricata 
wasn't started. You can avoid this by applying the rule with option 
"--queue-bypass", then traffic will pass through even if there is no 
application listening for nfqueue:

iptables -A FORWARD <your_params> -j NFQUEUE --queue-num 0 
--queue-bypass.

Also I would remind that to run suricata in IPS NFQUEUE mode you should 
start it with "-q" key:

sudo suricata -c /etc/suricata/suricata.yaml -q 0

where "-c" is for conf file, "-q" states for NFQUEUE mode, 0 - nfqueue 
number.

Also I would advice you to read about nfqueue modes and to choose one 
that fits you the best:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml 
(look at the "NFQ" section).

-- 
With kind regards,
Alex

More information about the Oisf-users mailing list