Project

General

Profile

Actions

Support #2139

closed

Suricata IPS Inline on a router not working

Added by Fuad Kamal almost 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hi,
I have configured a GW on Ubuntu connecting LAN to internet, and have Suricata installed on the GW with NFQueue support.

I refered to the link : https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux

If suricata is started input is LAN, I get [wDrop] in fast.log
sudo suricata -c /etc/suricata/suricata.yaml.1 -i enp17s0

If suricata is started input is WAN, nothing is logged in fast.log
suricata -c /etc/suricata/suricata.yaml.1 -i enp0s25

If suricata is started input is WAN, nothing is logged in fast.log
suricata -c /etc/suricata/suricata.yaml.1 -q 0

iptables configuration is:
sudo iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
sudo iptables -A FORWARD -i enp0s25 -o enp17s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp17s0 -o enp0s25 -j ACCEPT
sudo iptables -A FORWARD -j NFQUEUE

iptables status is : iptables -vnL
Chain INPUT (policy ACCEPT 9529 packets, 7388K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2749 909K ACCEPT all -- enp0s25 enp17s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2995 526K ACCEPT all -- enp17s0 enp0s25 0.0.0.0/0 0.0.0.0/0
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0

Chain OUTPUT (policy ACCEPT 8943 packets, 916K bytes)
pkts bytes target prot opt in out source destination

Attached is yaml file.
Regards,
Fuad


Files

suricata.yaml.1 (60.9 KB) suricata.yaml.1 Fuad Kamal, 06/09/2017 09:24 AM
Actions

Also available in: Atom PDF