[Oisf-users] having NFQUEUE without a suricata instance running blocks all connections
amar countersnipe.com
amar at countersnipe.com
Wed Aug 30 22:26:20 UTC 2017
There are many ways to deal with this, based on what the initial reasoning was for restarting/stopping Suricata.
If it is to reload new rules you can do that on the fly using kill command.
Otherwise, you could use a script, that first sets the iptables policy to accept and even a forward iptables rule to accept, then restart suricata, iptables -F and then new script to reload iptables as required. I may have missed a step or two here, but hopefully you get my meaning.
See the point is that you can't send some folks to a bridge that you have just blown up, and expect them to cross it.
Amar
> On August 30, 2017 at 5:01 PM Jeff Dyke <jeff.dyke at gmail.com> wrote:
>
> I'm not positive, but the man page on ubuntu 16.04 4.4.0-93-generic - (iptables v1.6.0) also does not show it.
>
> You can also do: -A INPUT -s 123.456.789.101/08 -p tcp --dport 22 -j ACCEPT
>
> As an early iptables rule, but that does not solve the problem as much as allow you to fix it.
>
> I would just try to add the rule with the flag, and see if it complains. I use salt for configuration and was looking at their iptables code to see how to add it to my suricata states, and noticed it has been in their source for a while.
>
> Jeff
>
> On Wed, Aug 30, 2017 at 4:40 PM, James Moe <jimoe at sohnen-moe.com mailto:jimoe at sohnen-moe.com > wrote:
>
> > > On 08/29/2017 02:13 PM, Jeff Dyke wrote:
> > > https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/ https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
> > >
> > > You can add |--queue-bypass|. I'll request that the documentation is
> > > updated. I'm not out of the woods, but past this issue.
> > >
> > In opensuse 42.2 (linux 4.4.79-18.26-default x86_64) the iptables
> > manual does not show "--queue-bypass" as an option.
> > Is the option undocumented, hidden, or unsupported? Or does it require
> > a custom build of iptables?
> >
> > --
> > James Moe
> > moe dot james at sohnen-moe dot com
> > 520.743.3936
> > Think.
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org mailto:oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/ https://suricata-ids.org/training/
> >
> > >
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
Kind regards
Amar Rathore
CounterSnipe Systems LLC
Tel: +1 617 701 7213
Mobile: +44 (0) 7876 233333
Skype ID: amarrathore
Web: www.countersnipe.com <http://www.countersnipe.com/>
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170830/48500e0a/attachment-0002.html>
More information about the Oisf-users
mailing list