https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022018-12-14T06:30:28ZOpen Information Security FoundationSuricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=106742018-12-14T06:30:28ZVictor Julienvictor@inliniac.net
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Support</i></li><li><strong>Affected Versions</strong> deleted (<del><i>4.0beta1</i></del>)</li></ul><p>I don't think the mangle table is meant for this purpose. The filter table is where the NFQUEUE rule should be.</p>
<p>Please see this guide <a class="external" href="https://suricata.readthedocs.io/en/suricata-4.1.0/setting-up-ipsinline-for-linux.html">https://suricata.readthedocs.io/en/suricata-4.1.0/setting-up-ipsinline-for-linux.html</a></p> Suricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=106862018-12-16T22:02:30Zjeremy d
<ul></ul><p>Victor Julien wrote:</p>
<blockquote>
<p>I don't think the mangle table is meant for this purpose. The filter table is where the NFQUEUE rule should be.</p>
<p>Please see this guide <a class="external" href="https://suricata.readthedocs.io/en/suricata-4.1.0/setting-up-ipsinline-for-linux.html">https://suricata.readthedocs.io/en/suricata-4.1.0/setting-up-ipsinline-for-linux.html</a></p>
</blockquote>
<p>Thanks for the help Victor! That guide is helpful if i want to make it inline, but I cant seem to also have the IPS get an IP address. I have a setup where Router/Gateway <-> Suricata (with DHCP IP) <-> Router2 (NATed IP from Suricata) but I can only get traffic from router2 outbound.</p> Suricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=106872018-12-16T22:50:36Zjeremy d
<ul></ul><p>This is my updated bas script I am using </p>
<pre><code>modprobe br_netfilter<br /> ifconfig eth0 0.0.0.0 up --arp<br /> ifconfig eth1 0.0.0.0 up --arp<br /> brctl addbr br0<br /> brctl addif br0 eth1<br /> brctl addif br0 eth0<br /> brctl stp br0 off<br /> ifconfig br0 192.168.22.1 up --arp<br /> dnsmasq --interface=br0 --dhcp-range=br0,192.168.22.2,192.168.22.6,12h<br /> iptables -F<br /> iptables -X<br /> iptables -t nat -F<br /> iptables -t nat -X<br /> iptables -t mangle -F<br /> iptables -t mangle -X<br /> iptables -I FORWARD -j NFQUEUE --queue-bypass<br /> echo 1 > /proc/sys/net/ipv4/ip_forward<br /> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</code></pre> Suricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=106892018-12-17T04:44:00Zjeremy d
<ul></ul><p>So i was able to get the routing to work properly but suricata only watches and blocks on traffic when packets are leaving the LAN port and not on my WAN port with the following configs</p>
<pre><code>modprobe br_netfilter<br /> ifconfig eth0 0.0.0.0 up<br /> ifconfig eth1 192.168.22.1 up<br /> dnsmasq --interface=eth1 --dhcp-range=eth1,192.168.22.2,192.168.22.6,12h<br /> iptables -F<br /> iptables -X<br /> iptables -t nat -F<br /> iptables -t nat -X<br /> iptables -t mangle -F<br /> iptables -t mangle -X<br /> iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE --queue-bypass<br /> iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-bypass<br /> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br /> echo 1 > /proc/sys/net/ipv4/ip_forward</code></pre> Suricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=114612019-03-11T14:42:45ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> set to <i>Community Ticket</i></li></ul> Suricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=126002019-06-15T21:51:50ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Target version</strong> set to <i>Support</i></li></ul> Suricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=128732019-07-09T19:27:16ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>You could try to set dedicated queue numbers (--queue-num) and attach suricata to both. You could also test with suricata running on only one of those if both NFQUEUE jump targets really work.</p> Suricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=128742019-07-09T19:27:20ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul> Suricata - Support #2742: help with inline IPShttps://redmine.openinfosecfoundation.org/issues/2742?journal_id=139052019-09-26T09:57:46ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li></ul>