[Oisf-users] Make a Ubuntu as a gateway router + Suricatainline probe.
Liao Zhuodi
liao_zd at foxmail.com
Mon Jan 26 09:11:27 UTC 2015
Hi Alex,
Thanks for "NFQ" section, my configuration misses that part, now it is working. Here is my setups, but I am not sure if this the best/efficiency way, I am quite new to network, if I am doing wrong, please comment me, thanks.
WAN: wlan0
LAN: eth0, static IP, and all traffic go through this NIC out to internet
- suricata.yaml
nfq:
mode: accept
......
- setup for ubuntu to act as a router
# all packets will be sent to suricata, and will not be inspected by the rest of the iptables rules
iptables -I FORWARD -j NFQUEUE --queue-num 0
# make it as a router
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# offload to CPU
ethtool --offload eth0 rx off tx off
- start suricata:
sudo suricata -c /etc/suricata/suricata.yaml -q 0
- And after run all of above, here are two working iptables rules:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7750K 1972M NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain POSTROUTING (policy ACCEPT 46 packets, 3169 bytes)
pkts bytes target prot opt in out source destination
5982 561K MASQUERADE all -- * wlan0 0.0.0.0/0 0.0.0.0/0
Suricata can drop/reject/alert payloads, and all internal computers can access internet through the suricata box, but i am uncertain about this "iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE" is right or not?
Best regards,
Liao
------------------ Original ------------------
From: "unite";<unite at openmailbox.org>;
Send time: Thursday, Jan 22, 2015 7:01 PM
To: "Liao Zhuodi"<liao_zd at foxmail.com>;
Cc: "oisf-users"<oisf-users at lists.openinfosecfoundation.org>;
Subject: Re: [Oisf-users] Make a Ubuntu as a gateway router + Suricatainline probe.
On 2015-01-22 12:38, Liao Zhuodi wrote:
> Hi guys,
>
> I have a ubuntu box works as a router already (following this
> instruction: https://help.ubuntu.com/community/Router ),
> and install Suricata 2.1beta2 with NFQueue support, but I a problem to
> make it work as inline mode ( instruction here -
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
.......
.......
Hi Liao!
First of all, in the iptables output you've posted I can see no NFQUEUE
rule. So if you would like to use the nfqueue mode, your iptables should
contain rule like this:
iptables -A FORWARD <your_params> -j NFQUEUE --queue-num 0
The default queue number for suricata is 0.
Also note, that if you have that rule in iptables chain and your
suricata is not started packets would be just dropped because no one
listens to them. I guess you applied that rule while your suricata
wasn't started. You can avoid this by applying the rule with option
"--queue-bypass", then traffic will pass through even if there is no
application listening for nfqueue:
iptables -A FORWARD <your_params> -j NFQUEUE --queue-num 0
--queue-bypass.
Also I would remind that to run suricata in IPS NFQUEUE mode you should
start it with "-q" key:
sudo suricata -c /etc/suricata/suricata.yaml -q 0
where "-c" is for conf file, "-q" states for NFQUEUE mode, 0 - nfqueue
number.
Also I would advice you to read about nfqueue modes and to choose one
that fits you the best:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
(look at the "NFQ" section).
--
With kind regards,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150126/a5b61012/attachment-0002.html>
More information about the Oisf-users
mailing list