[Oisf-users] Make a Ubuntu as a gateway router + Suricatainline probe.

Liao Zhuodi liao_zd at foxmail.com
Mon Jan 26 09:11:27 UTC 2015 

Hi Alex, 


Thanks for "NFQ" section, my configuration misses that part, now it is working. Here is my setups, but I am not sure if this the best/efficiency way, I am quite new to network, if I am doing wrong, please comment me, thanks.


WAN: wlan0
LAN: eth0, static IP, and all traffic go through this NIC out to internet
- suricata.yaml
  
  nfq:
     mode: accept
     ......
     
- setup for ubuntu to act as a router


  # all packets will be sent to suricata, and will not be inspected by the rest of the iptables rules

  iptables -I FORWARD -j NFQUEUE --queue-num 0    
  
  # make it as a router
  iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
  echo "1" > /proc/sys/net/ipv4/ip_forward
  echo "1" > /proc/sys/net/ipv4/ip_dynaddr
  
  # offload to CPU
  ethtool --offload eth0 rx off tx off


- start suricata:


  sudo suricata -c /etc/suricata/suricata.yaml -q 0
- And after run all of above, here are two working iptables rules:


  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination
   7750K 1972M NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0

  Chain POSTROUTING (policy ACCEPT 46 packets, 3169 bytes)
   pkts bytes target     prot opt in     out     source               destination
   5982  561K MASQUERADE  all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0



Suricata can drop/reject/alert payloads, and all internal computers can access internet through the suricata box, but i am uncertain about this "iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE" is right or not?


Best regards,
Liao


------------------ Original ------------------
From:  "unite";<unite at openmailbox.org>;
Send time: Thursday, Jan 22, 2015 7:01 PM
To: "Liao Zhuodi"<liao_zd at foxmail.com>; 
Cc: "oisf-users"<oisf-users at lists.openinfosecfoundation.org>; 
Subject:  Re: [Oisf-users] Make a Ubuntu as a gateway router + Suricatainline probe.



On 2015-01-22 12:38, Liao Zhuodi wrote:
> Hi guys,
> 
> I have a ubuntu box works as a router already (following this
> instruction: https://help.ubuntu.com/community/Router ),
> and install Suricata 2.1beta2 with NFQueue support, but I a problem to
> make it work as inline mode ( instruction here -
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
.......
.......


Hi Liao!

First of all, in the iptables output  you've posted I can see no NFQUEUE 
rule. So if you would like to use the nfqueue mode, your iptables should 
contain rule like this:

iptables -A FORWARD <your_params> -j NFQUEUE --queue-num 0

The default queue number for suricata is 0.

Also note, that if you have that rule in iptables chain and your 
suricata is not started packets would be just dropped because no one 
listens to them. I guess you applied that rule while your suricata 
wasn't started. You can avoid this by applying the rule with option 
"--queue-bypass", then traffic will pass through even if there is no 
application listening for nfqueue:

iptables -A FORWARD <your_params> -j NFQUEUE --queue-num 0 
--queue-bypass.

Also I would remind that to run suricata in IPS NFQUEUE mode you should 
start it with "-q" key:

sudo suricata -c /etc/suricata/suricata.yaml -q 0

where "-c" is for conf file, "-q" states for NFQUEUE mode, 0 - nfqueue 
number.

Also I would advice you to read about nfqueue modes and to choose one 
that fits you the best:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml 
(look at the "NFQ" section).

-- 
With kind regards,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150126/a5b61012/attachment-0002.html>

More information about the Oisf-users mailing list