[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oisf-users
Subject:    [Oisf-users] NFQ repeat mode and iptables marks
From:       Aleksey <unite () openmailbox ! org>
Date:       2015-08-05 13:36:01
Message-ID: bda3390e329a72b51b1ab8a9d5a8d293 () openmailbox ! org
[Download RAW message or body]

Hi guys!

I have quite a big iptables rulebase and want only certain traffic to 
pass through suricata. My idea is to mark the traffic I need in the 
mangle table and then to forward only specific traffic containing 
certain mark to suricata, which should check it, re-mark with another 
mark and return back to iptables. However, I am a bit confused with 
these marks and can see that at the moment I'm surely mistaken 
somewhere. So, the example mangle rule is:

iptables -t mangle -A PREROUTING -d 192.168.1.10/32 -p tcp -m tcp 
--dport 80 -j MARK --set-mark 2

Then, the rule which should direct traffic to Suri:

iptables -A FORWARD -m mark --mark 2 -j NFQUEUE --queue-num 0

And example rule which should (for example) reject some traffic to this 
host:

iptables -A FORWARD -s 10.10.1.5/32 -d 192.168.1.10/32 -p tcp -m tcp 
--dport 80 -j DROP

My Suricata config for repeat mode is:

nfq:
   mode: repeat
   repeat-mark: 1
   repeat-mask: 1

Any ideas?

Thanks in advance!

-- 
With kind regards,
Aleksey
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
[prev in list] [next in list] [prev in thread] [next in thread]