Menu
▾
▴
[Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Victor J. <vi...@nk...> - 2004-07-01 17:53:43
|
Hi list, I found the answer to my question (with the kind help of Antony Stone of th= e=20 Netfilter list). I'd like share it with you so others can use it as well.=20 I've written it in the snort_inline faq format, so if you think it's useful= l=20 please include it in you're faq! Regards, Victor Question: I want to handle only selected traffic with snort_inline Answer: You can the MARK target in iptables for this. Say you want only stm= p=20 traffic to be handled by snort_inline, but not pop3. 1. iptables -t mangle -A FORWARD =A0-p tcp --dport 25 -j MARK --set-mark 0x1 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark --mark = 0x1=20 =2Dj QUEUE 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT Pop3 traffic is now first accepted in rule 5, and after that handled by rul= e=20 3. The smtp traffic is now first QUEUE'd by rule 4, after that marked in rule = 1=20 so it can be picked up by the 2nd rule. Question: I can now handle selected traffic, but i'm having troubles with=20 protocols witch use protocol handlers in iptables, like ftp. Answer: for this you need the 'helper' module. Say you want only ftp traffi= c=20 to be handled by snort_inline, but not http. 1. iptables -t mangle -A FORWARD =A0-p tcp --dport 21 -j MARK --set-mark 0x1 2. iptables -t mangle -A FORWARD =A0-m helper --helper "ftp" -j MARK --set-= mark=20 0x1 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark --mark = 0x1=20 =2Dj QUEUE 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT The difference here is the second rule which makes sure that the connection= s=20 that are handled by the ftp conntrack helper are also send to the queue. |
