Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Geffrey V. [MINAG] <gve...@mi...> - 2004-07-01 19:14:54
|
Hi Victor, and what is the difference with this?: 1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 -j QUEUE 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE 4. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEP Saludos, Geffrey Velásquez Cel.: 9722-2705 ---------- Original Message ----------- From: Victor Julien <vi...@nk...> To: sno...@li... Sent: Thu, 1 Jul 2004 19:53:28 +0200 Subject: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline) > Hi list, > > I found the answer to my question (with the kind help of Antony > Stone of the Netfilter list). I'd like share it with you so others > can use it as well. I've written it in the snort_inline faq format, > so if you think it's usefull please include it in you're faq! > > Regards, > Victor > > Question: I want to handle only selected traffic with snort_inline > > Answer: You can the MARK target in iptables for this. Say you want > only stmp traffic to be handled by snort_inline, but not pop3. > > 1. iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set- > mark 0x1 > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > -mark 0x1 -j QUEUE > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT > > Pop3 traffic is now first accepted in rule 5, and after that handled > by rule > 3. > > The smtp traffic is now first QUEUE'd by rule 4, after that marked > in rule 1 so it can be picked up by the 2nd rule. > > Question: I can now handle selected traffic, but i'm having troubles > with protocols witch use protocol handlers in iptables, like ftp. > > Answer: for this you need the 'helper' module. Say you want only ftp > traffic to be handled by snort_inline, but not http. > > 1. iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set- > mark 0x1 > 2. iptables -t mangle -A FORWARD -m helper --helper "ftp" -j MARK -- > set-mark 0x1 > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > -mark 0x1 -j QUEUE > 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT > > The difference here is the second rule which makes sure that the > connections that are handled by the ftp conntrack helper are also > send to the queue. > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users ------- End of Original Message ------- |
