[Oisf-users] Encrypted Traffic

Victor Julien lists at inliniac.net
Wed Jan 28 11:53:10 UTC 2015


On 01/28/2015 12:20 PM, Phil Daws wrote:
> Good day Victor:
> 
> Was wondering about iptables as is there not a different way that doing this; which am doing at present:
> 
> -A FORWARD -i eth0 -o eth1 -m mark ! --mark 0x1/0x1 -j NFQUEUE
> -A FORWARD -i eth1 -o eth0 -m mark ! --mark 0x1/0x1 -j NFQUEUE
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

What about just:

-A FORWARD -p 47 -j ACCEPT
-A FORWARD -j NFQUEUE

Add interfaces and other conditions as needed, but this will exclude GRE
traffic from Suricata's inspection.

Cheers,
Victor


> Thanks, Phil
> 
> 
> ----- Original Message -----
> From: "Victor Julien" <lists at inliniac.net>
> To: oisf-users at lists.openinfosecfoundation.org
> Sent: Wednesday, 28 January, 2015 11:03:30
> Subject: Re: [Oisf-users] Encrypted Traffic
> 
> On 01/28/2015 11:48 AM, Phil Daws wrote:
>> within my lab I have two VMs that are acting as firewalls and connected via an IPSEC tunnel with GRE.  A VM on one end sends traffic over this tunnel to another on the other side.  This traffic should not be subjected to Suricata inspection, as am using inline, so what would be the best way to suppress that ?
> 
> In general, check
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
>  Note that BPF won't work in inline mode.
> 
> I'd imagine a rule like "pass ip any any -> any any (ip_proto:47; ...)
> 
> If you run the iptables/nfq based inline method you can also use
> iptables to control which part of the traffic is inspected by Suri.
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list