[Oisf-users] Trouble with NFQUEUE IPS Mode

Victor Julien lists at inliniac.net
Wed Nov 18 11:40:33 UTC 2015 

On 18-11-15 12:34, Leonard Jacobs wrote:
> I did turn on ip forwarding but the only way I could get traffic flowing
> from ethernet port to ethernet was by enabling bridging between ports.
> 
> I thought bridging was wrong.

It is for NFQUEUE, yes.

Did you make sure the other hosts use this IPS box as their gateway?

Cheers,
Victor



> 
> Thanks.
> 
> Leonard
> 
> 
> 
>     ------------------------------------------------------------------------
>     *From:* Eric Leblond [mailto:eric at regit.org]
>     *To:* Leonard Jacobs [mailto:ljacobs at netsecuris.com],
>     oisf-users at lists.openinfosecfoundation.org
>     [mailto:oisf-users at lists.openinfosecfoundation.org]
>     *Sent:* Wed, 18 Nov 2015 01:02:40 -0600
>     *Subject:* Re: [Oisf-users] Trouble with NFQUEUE IPS Mode
> 
>     Hi,
> 
>     On Tue, 2015-11-17 at 18:11 -0600, Leonard Jacobs wrote:
>     > I set up Suricata in NFQUEUE with the following IPTABLES
>     > configuration:
>     >  
>     > Chain INPUT (policy ACCEPT 107K packets, 152M bytes)
>     > pkts bytes target     prot opt in     out     source              
>     > destination
>     >  
>     > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>     > pkts bytes target     prot opt in     out     source              
>     > destination
>     >     0     0 NFQUEUE    all  --  p3p1   p2p1    0.0.0.0/0           
>     > 0.0.0.0/0            NFQUEUE num 0
>     >     0     0 NFQUEUE    all  --  p2p1   p3p1    0.0.0.0/0           
>     > 0.0.0.0/0            NFQUEUE num 0
>     >     0     0 NFQUEUE    all  --  p1p1   eth0    0.0.0.0/0           
>     > 0.0.0.0/0            NFQUEUE num 0
>     >     0     0 NFQUEUE    all  --  eth0   p1p1    0.0.0.0/0           
>     > 0.0.0.0/0            NFQUEUE num 0
> 
>     All counters are 0. So no traffic has been handle by Suricata. Did you
>     activate ip_forward ?
> 
>     ++
>     -- 
>     Eric Leblond <eric at regit.org <mailto:eric at regit.org>>
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list