[Oisf-users] Moving NFQUEUE to a different place in iptable's chain

James Moe jimoe at sohnen-moe.com
Wed Oct 3 21:10:18 UTC 2018

suricata 4.0.4
linux 4.12.14-lp150.12.7-default x86_64

  I had this idea to use fail2ban to reduce the load on suricata. One of
most common log entries is for rule #2220008; the rule catches
fire-and-forget SMTP messages.
  The idea: By blocking recurring IP addresses this would reduce the
load on suricata. However, I discovered this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
2103K  873M NFQUEUE    all  --  *      *            NFQUEUE num 0 bypass
14472   14M f2b-suricata  tcp  --  *      *            multiport dports 25,465,587
13143   14M f2b-assp   tcp  --  *      *            multiport dports 25

Which makes the fail2ban effort moot.

  Is there a way to change the order of the chains?

James Moe
moe dot james at sohnen-moe dot com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181003/ace74b4c/attachment.sig>

More information about the Oisf-users mailing list