Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Victor J. <vi...@nk...> - 2004-07-01 19:33:34
|
Good question. Not much i think. :-) The reason i do it like this, is that the iptables frontend i'm writing=20 creates the ESTABLISHED,RELATED first, and then based on a rulesfile the=20 specific individual rules. So then i have only two RELATED,ESTABLISHED rule= s=20 per chain (on top of course) for optimal performance. The frontend then=20 dynamicly creates mangle, nat and filterrules. The way you do it i would have to create an ESTABLISHED,RELATED for every=20 service/rule i want to QUEUE. But for this example you are absolutely right! Regards, Victor Updated example: Question: I want to handle only selected traffic with snort_inline Answer:=20 Say you want only stmp traffic to be handled by snort_inline, but not pop3. # the ESTABLISHED,RELATED for smtp iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 = =2Dj=20 QUEUE # the ESTABLISHED,RELATED for the rest iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # the initial rules iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT Question: I can now handle selected traffic, but i'm having troubles with=20 protocols witch use protocol handlers in iptables, like ftp. Answer: for this you need the 'helper' module. Say you want only ftp traffi= c=20 to be handled by snort_inline, but not http. # the ESTABLISHED,RELATED for the helper ftp iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m helper --helper= =20 "ftp" -j QUEUE # the ESTABLISHED,RELATED for ftp connection on port 21 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 21= -j=20 QUEUE # the ESTABLISHED,RELATED for the rest iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT The difference here is helper module which makes sure that the connections= =20 that are handled by the ftp conntrack helper are also send to the queue. On Thursday 01 July 2004 21:14, Geffrey Velasquez [MINAG] wrote: > Hi Victor, and what is the difference with this?: > > 1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport > 25 -j QUEUE > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > 3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > 4. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEP > > > Saludos, > Geffrey Vel=E1squez > Cel.: 9722-2705 > > ---------- Original Message ----------- > From: Victor Julien <vi...@nk...> > To: sno...@li... > Sent: Thu, 1 Jul 2004 19:53:28 +0200 > Subject: [Snort-inline-users] using snort_inline for selected traffic only > (was: help with setting up iptables for use with snort_inline) > > > Hi list, > > > > I found the answer to my question (with the kind help of Antony > > Stone of the Netfilter list). I'd like share it with you so others > > can use it as well. I've written it in the snort_inline faq format, > > so if you think it's usefull please include it in you're faq! > > > > Regards, > > Victor > > > > Question: I want to handle only selected traffic with snort_inline > > > > Answer: You can the MARK target in iptables for this. Say you want > > only stmp traffic to be handled by snort_inline, but not pop3. > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set- > > mark 0x1 > > > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > > -mark 0x1 -j QUEUE > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > > 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT > > > > Pop3 traffic is now first accepted in rule 5, and after that handled > > by rule > > 3. > > > > The smtp traffic is now first QUEUE'd by rule 4, after that marked > > in rule 1 so it can be picked up by the 2nd rule. > > > > Question: I can now handle selected traffic, but i'm having troubles > > with protocols witch use protocol handlers in iptables, like ftp. > > > > Answer: for this you need the 'helper' module. Say you want only ftp > > traffic to be handled by snort_inline, but not http. > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set- > > mark 0x1 > > 2. iptables -t mangle -A FORWARD -m helper --helper "ftp" -j MARK -- > > set-mark 0x1 > > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > > -mark 0x1 -j QUEUE > > 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > > 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT > > > > The difference here is the second rule which makes sure that the > > connections that are handled by the ftp conntrack helper are also > > send to the queue. > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------- End of Original Message ------- |
