[Oisf-users] Trouble with NFQUEUE IPS Mode
Leonard Jacobs
ljacobs at netsecuris.com
Wed Nov 18 12:08:09 UTC 2015
I did create the iptables rules with NFQUEUE. But then you are saying the IPS appliance should be like a router with IP address set on the outer Ethernet port.
Here is a drawing of what I am trying to accomplish. There are 4 ethernet ports on IPS Appliance. I want to have the IPS on both sides of the firewall.
Router <---------->IPS Appliance<------------>SonicWALL firewall<--------->IPS appliance<-------------->LAN Switch
PortA PortB PortC PortD
To get data flowing, I had bridged PortA to PortB as well as PortC to PortD. Will Suricata in NFQUEUE mode not see the traffic from the pairs of ports using the iptables rules I created?
I prefer to use AF_PACKET mode to accomplish this because I know it works but in this case there seems to be an incompatibility with the SonicWALL firewall so VPN connections drop and some traffic stops flowing. So I am trying to find an IPS alternative to AF_Packet mode.
Are you saying I need to have IP addresses on all 4 ethernet ports so NFQUEUE will work without turning bridging on?
Thanks.
Leonard
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Wednesday, November 18, 2015 5:41 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Trouble with NFQUEUE IPS Mode
On 18-11-15 12:34, Leonard Jacobs wrote:
> I did turn on ip forwarding but the only way I could get traffic
> flowing from ethernet port to ethernet was by enabling bridging between ports.
>
> I thought bridging was wrong.
It is for NFQUEUE, yes.
Did you make sure the other hosts use this IPS box as their gateway?
Cheers,
Victor
>
> Thanks.
>
> Leonard
>
>
>
> ------------------------------------------------------------------------
> *From:* Eric Leblond [mailto:eric at regit.org]
> *To:* Leonard Jacobs [mailto:ljacobs at netsecuris.com],
> oisf-users at lists.openinfosecfoundation.org
> [mailto:oisf-users at lists.openinfosecfoundation.org]
> *Sent:* Wed, 18 Nov 2015 01:02:40 -0600
> *Subject:* Re: [Oisf-users] Trouble with NFQUEUE IPS Mode
>
> Hi,
>
> On Tue, 2015-11-17 at 18:11 -0600, Leonard Jacobs wrote:
> > I set up Suricata in NFQUEUE with the following IPTABLES
> > configuration:
> >
> > Chain INPUT (policy ACCEPT 107K packets, 152M bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 0 0 NFQUEUE all -- p3p1 p2p1 0.0.0.0/0
> > 0.0.0.0/0 NFQUEUE num 0
> > 0 0 NFQUEUE all -- p2p1 p3p1 0.0.0.0/0
> > 0.0.0.0/0 NFQUEUE num 0
> > 0 0 NFQUEUE all -- p1p1 eth0 0.0.0.0/0
> > 0.0.0.0/0 NFQUEUE num 0
> > 0 0 NFQUEUE all -- eth0 p1p1 0.0.0.0/0
> > 0.0.0.0/0 NFQUEUE num 0
>
> All counters are 0. So no traffic has been handle by Suricata. Did you
> activate ip_forward ?
>
> ++
> --
> Eric Leblond <eric at regit.org <mailto:eric at regit.org>>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list