Vieri Di Paola
2016-12-09 16:09:08 UTC
Hi,
I'm running Suricata on a shorewall gateway with the following command:
suricata -q 0 -c /etc/suricata/suricata.yaml
The shorewall system provides Internet access to 3 ISPs (to/from) and has 3 zones defined for that: net{1,2,3}.
My goal is to have Suricata or Snort inline analyze ONLY Internet traffic FROM net{1,2,3} to any other zone. I understand that Shorewall must "pass" traffic to the same iptables queue where Suricata or Snort is listening.
I configured the Shorewall rules file as follows:
?SECTION ALL
NFQUEUE(0) net1 all
NFQUEUE(0) net2 all
NFQUEUE(0) net3 all
NFQUEUE(0) all net1
NFQUEUE(0) all net2
NFQUEUE(0) all net3
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
[...Some DROP rules first...]
NFQUEUE(0) net1 all
NFQUEUE(0) net2 all
NFQUEUE(0) net3 all
NFQUEUE(0) all net1
NFQUEUE(0) all net2
NFQUEUE(0) all net3
[...Some ACCEPT rules such as:]
ACCEPT net3 $FW tcp 25
DNAT net2 loc:10.215.144.66 tcp 80,443
My first doubt is if I can leave out "NFQUEUE(0) all net{1,2,3}".
In any case, when I restart shorewall I get several warnings such as:
WARNING: One or more unreachable rules in chain net*-* have been discarded rules
If I search for the discarded rules I find entries such as:
Ping/ACCEPT net3:IP1,IP2 $FW
DNAT net3 loc:10.215.144.66 tcp 80 - - 30/min:35
DNAT net2 loc:10.215.144.66 tcp 80,443 - - 30/min:35
So I'm not sure I understand how NFQUEUE() works.
Let's say a packet comes from net2 and reaches Shorewall. It should go to queue 0 and Suricata should see it (and it seems to be the case right now).
Suricata can then accept or drop the packet according to its own rules. If it drops the packet then I guess shorewall is out of the picture. However, if it accepts it or is only in IDS mode then I suppose it will go down according to the shorewall rules file, right?
So, if an Internet host tried to access port 80 from net2 then it's traffic should first go into queue 0, analyzed by Suricata, and if not dropped, finally accepted by the DNAT rule mentioned above in Shorewall, correct?
If so, why are the rules "unreachable" according to Shorewall?
Thanks,
Vieri
I'm running Suricata on a shorewall gateway with the following command:
suricata -q 0 -c /etc/suricata/suricata.yaml
The shorewall system provides Internet access to 3 ISPs (to/from) and has 3 zones defined for that: net{1,2,3}.
My goal is to have Suricata or Snort inline analyze ONLY Internet traffic FROM net{1,2,3} to any other zone. I understand that Shorewall must "pass" traffic to the same iptables queue where Suricata or Snort is listening.
I configured the Shorewall rules file as follows:
?SECTION ALL
NFQUEUE(0) net1 all
NFQUEUE(0) net2 all
NFQUEUE(0) net3 all
NFQUEUE(0) all net1
NFQUEUE(0) all net2
NFQUEUE(0) all net3
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
[...Some DROP rules first...]
NFQUEUE(0) net1 all
NFQUEUE(0) net2 all
NFQUEUE(0) net3 all
NFQUEUE(0) all net1
NFQUEUE(0) all net2
NFQUEUE(0) all net3
[...Some ACCEPT rules such as:]
ACCEPT net3 $FW tcp 25
DNAT net2 loc:10.215.144.66 tcp 80,443
My first doubt is if I can leave out "NFQUEUE(0) all net{1,2,3}".
In any case, when I restart shorewall I get several warnings such as:
WARNING: One or more unreachable rules in chain net*-* have been discarded rules
If I search for the discarded rules I find entries such as:
Ping/ACCEPT net3:IP1,IP2 $FW
DNAT net3 loc:10.215.144.66 tcp 80 - - 30/min:35
DNAT net2 loc:10.215.144.66 tcp 80,443 - - 30/min:35
So I'm not sure I understand how NFQUEUE() works.
Let's say a packet comes from net2 and reaches Shorewall. It should go to queue 0 and Suricata should see it (and it seems to be the case right now).
Suricata can then accept or drop the packet according to its own rules. If it drops the packet then I guess shorewall is out of the picture. However, if it accepts it or is only in IDS mode then I suppose it will go down according to the shorewall rules file, right?
So, if an Internet host tried to access port 80 from net2 then it's traffic should first go into queue 0, analyzed by Suricata, and if not dropped, finally accepted by the DNAT rule mentioned above in Shorewall, correct?
If so, why are the rules "unreachable" according to Shorewall?
Thanks,
Vieri