Support #2139
closedSuricata IPS Inline on a router not working
Description
Hi,
I have configured a GW on Ubuntu connecting LAN to internet, and have Suricata installed on the GW with NFQueue support.
I refered to the link : https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
If suricata is started input is LAN, I get [wDrop] in fast.log
sudo suricata -c /etc/suricata/suricata.yaml.1 -i enp17s0
If suricata is started input is WAN, nothing is logged in fast.log
suricata -c /etc/suricata/suricata.yaml.1 -i enp0s25
If suricata is started input is WAN, nothing is logged in fast.log
suricata -c /etc/suricata/suricata.yaml.1 -q 0
iptables configuration is:
sudo iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
sudo iptables -A FORWARD -i enp0s25 -o enp17s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp17s0 -o enp0s25 -j ACCEPT
sudo iptables -A FORWARD -j NFQUEUE
iptables status is : iptables -vnL
Chain INPUT (policy ACCEPT 9529 packets, 7388K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2749 909K ACCEPT all -- enp0s25 enp17s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2995 526K ACCEPT all -- enp17s0 enp0s25 0.0.0.0/0 0.0.0.0/0
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain OUTPUT (policy ACCEPT 8943 packets, 916K bytes)
pkts bytes target prot opt in out source destination
Attached is yaml file.
Regards,
Fuad
Files
Updated by Victor Julien over 7 years ago
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
The first 2 0's mean no traffic is matching this iptables rule, so nothing is sent to Suricata.
Updated by Fuad Kamal over 7 years ago
Hi,
I moved directing to NFQUEUE on top, so iptables commands are in this sequences:
sudo iptables -F
sudo iptables -A FORWARD -j NFQUEUE
sudo iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
sudo iptables -A FORWARD -i enp0s25 -o enp17s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp17s0 -o enp0s25 -j ACCEPT
so status: sudo iptables -vnL
Chain INPUT (policy ACCEPT 3247 packets, 1733K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2258 203K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
0 0 ACCEPT all -- enp0s25 enp17s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- enp17s0 enp0s25 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3198 packets, 378K bytes)
pkts bytes target prot opt in out source destination
This way, I was getting the proper drops based on configuration to drop PINGof certain IP address.
rule is:
drop icmp 192.168.10.100 any -> any any (msg:"DROP test ICMP ping from 192.168.2.106";icode:0; itype:8; classtype:trojan-activity; sid:99999999; rev:1;)
But problem now is client PC can not see internet router. So client PC can not access internet.
Regards,
Fuad
Updated by Andreas Herz over 7 years ago
- Assignee set to Anonymous
- Target version set to Support
What happens if you set the rule to alert?
If that doesn't change anything you might want to look into the stats.log drop counter or start suricata with -vv to see any other important messages.
What version of Suricata are you using?
Updated by Fuad Kamal over 7 years ago
Hi,
I got everything working by replacing the command:
sudo iptables -A FORWARD -j NFQUEUE
with
sudo iptables -A FORWARD -t mangle -j NFQUEUE
The mangle table provided the proper routing.
Regards,
Fuad