[Snort-inline-users] help with setting up iptables for use with snort_inline

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

I have a question about setting up iptables so I can send selected traffic to 
snort_inline.

I'm writing a soon to be released (gpl) frontend to iptables. I'm adapting it 
now to support the QUEUE target for snort_inline. I want to give users the 
possibility to for example send only http traffic to snort_inline and let 
iptables handle the other traffic.

So normal my rules are like this (simplified):

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

So a connection is accepted by the second rule and after that handled by the 
first. Still with me?

Well now the problem. When i want to send packets to the QUEUE target the 
above setup does not work. Because i don't want all traffic to go to snort, i 
cant change the target of the established,related rule to queue.

I found a solution which works not entirely as i want. The following example 
will send http to snort, pop3 will be handled by iptables itself.

iptables -t mangle -A OUTPUT  -p tcp --dport 80 -j MARK --set-mark 0x1

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -m mark --mark 0x1 -j 
QUEUE
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j QUEUE
iptables -A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Well this works... but not for ftp. Iptables has as you know a special helper 
module for ftp. I don't know how i can make ftp play well in this setup. 
Because the ftp connection opens other ports i can't use the mark stuff like 
this.

So... any ideas, suggestions?

Regards,
Victor