Support #2742
closedhelp with inline IPS
Description
Hello! I am trying to have suricata be inline and block on 2 interfaces eth0 and eth1. eth0 is my gateway and eth1 is providing DHCP downstream. I have it blocking on the external interface with the following commands, yet it only alerts on inbound going out traffic.
modprobe br_netfilter
ifconfig eth1 192.168.22.1 up
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -t mangle -j NFQUEUE --queue-bypass
echo 1 > /proc/sys/net/ipv4/ip_forwardVJ Updated by Victor Julien over 7 years ago
- Tracker changed from Bug to Support
- Affected Versions deleted (
4.0beta1)
I don't think the mangle table is meant for this purpose. The filter table is where the NFQUEUE rule should be.
Please see this guide https://suricata.readthedocs.io/en/suricata-4.1.0/setting-up-ipsinline-for-linux.html
JD Updated by jeremy d over 7 years ago
Victor Julien wrote:
I don't think the mangle table is meant for this purpose. The filter table is where the NFQUEUE rule should be.
Please see this guide https://suricata.readthedocs.io/en/suricata-4.1.0/setting-up-ipsinline-for-linux.html
Thanks for the help Victor! That guide is helpful if i want to make it inline, but I cant seem to also have the IPS get an IP address. I have a setup where Router/Gateway <-> Suricata (with DHCP IP) <-> Router2 (NATed IP from Suricata) but I can only get traffic from router2 outbound.
JD Updated by jeremy d over 7 years ago
This is my updated bas script I am using
modprobe br_netfilter
ifconfig eth0 0.0.0.0 up --arp
ifconfig eth1 0.0.0.0 up --arp
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth0
brctl stp br0 off
ifconfig br0 192.168.22.1 up --arp
dnsmasq --interface=br0 --dhcp-range=br0,192.168.22.2,192.168.22.6,12h
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -I FORWARD -j NFQUEUE --queue-bypass
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEJD Updated by jeremy d over 7 years ago
So i was able to get the routing to work properly but suricata only watches and blocks on traffic when packets are leaving the LAN port and not on my WAN port with the following configs
modprobe br_netfilter
ifconfig eth0 0.0.0.0 up
ifconfig eth1 192.168.22.1 up
dnsmasq --interface=eth1 --dhcp-range=eth1,192.168.22.2,192.168.22.6,12h
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE --queue-bypass
iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-bypass
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forwardVJ Updated by Victor Julien about 7 years ago
- Assignee set to Community Ticket
AH Updated by Andreas Herz almost 7 years ago
- Target version set to Support
AH Updated by Andreas Herz over 6 years ago
You could try to set dedicated queue numbers (--queue-num) and attach suricata to both. You could also test with suricata running on only one of those if both NFQUEUE jump targets really work.
AH Updated by Andreas Herz over 6 years ago
- Status changed from New to Feedback
VJ Updated by Victor Julien over 6 years ago
- Status changed from Feedback to Closed