[Oisf-users] Running Suricata in Inline mode with Netfilter

Amar amar at countersnipe.com
Wed Dec 11 13:32:42 UTC 2019


     
 

 Once you have pushed all forward/bridged/pass through traffic to NFQ, you have to rely on Suricata rules to block or allow.  
 

 
Alternatively, I(nsert) icmp block rule first in iptables chain and then A(dd) NFQ rule.
 

 
Hope that helps.
 

 
Amar Rathore
 
www.countersnipe.com
 

 
 

 
 
>  
> On Dec 11, 2019 at 5:27 PM,  <Manoj Kumar (mailto:manojrk at setsindia.net)>  wrote:
>  
>  
>  
>  Hello,
>
> I've been trying to run Suricata in Inline mode using this rule:
>
> iptables -I forward -j NFQUEUE
>
> While I've found no problems in getting Suricata to work, I simply 
> couldn't add any further rules in forward chain. As soon as the packets 
> hit nfqueue, it doesn't hit the rules that are added after it.
>
> For Ex: If I add an icmp drop rule after nfqueue, ping packets are not 
> being blocked.
>
> Am I doing this right? Any help is appreciated.
>
> Thanks,
> Manoj
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>              
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191211/66e8ee56/attachment.html>


More information about the Oisf-users mailing list