Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Rob M. <ro...@ho...> - 2004-07-01 22:31:54
|
Great! I'll add it to the FAQ. Rob On Thu, 1 Jul 2004, Victor Julien wrote: > Date: Thu, 1 Jul 2004 19:53:28 +0200 > From: Victor Julien <vi...@nk...> > To: sno...@li... > Subject: [Snort-inline-users] using snort_inline for selected traffic > only (was: help with setting up iptables for use with snort_inline) >=20 > Hi list, >=20 > I found the answer to my question (with the kind help of Antony Stone of = the=20 > Netfilter list). I'd like share it with you so others can use it as well.= =20 > I've written it in the snort_inline faq format, so if you think it's usef= ull=20 > please include it in you're faq! >=20 > Regards, > Victor >=20 > Question: I want to handle only selected traffic with snort_inline >=20 > Answer: You can the MARK target in iptables for this. Say you want only s= tmp=20 > traffic to be handled by snort_inline, but not pop3. >=20 > 1. iptables -t mangle -A FORWARD =A0-p tcp --dport 25 -j MARK --set-mark = 0x1 >=20 > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark --mar= k 0x1=20 > -j QUEUE > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >=20 > 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT >=20 > Pop3 traffic is now first accepted in rule 5, and after that handled by r= ule=20 > 3. >=20 > The smtp traffic is now first QUEUE'd by rule 4, after that marked in rul= e 1=20 > so it can be picked up by the 2nd rule. >=20 >=20 > Question: I can now handle selected traffic, but i'm having troubles with= =20 > protocols witch use protocol handlers in iptables, like ftp. >=20 > Answer: for this you need the 'helper' module. Say you want only ftp traf= fic=20 > to be handled by snort_inline, but not http. >=20 > 1. iptables -t mangle -A FORWARD =A0-p tcp --dport 21 -j MARK --set-mark = 0x1 > 2. iptables -t mangle -A FORWARD =A0-m helper --helper "ftp" -j MARK --se= t-mark=20 > 0x1 >=20 > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark --mar= k 0x1=20 > -j QUEUE > 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >=20 > 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT >=20 > The difference here is the second rule which makes sure that the connecti= ons=20 > that are handled by the ftp conntrack helper are also send to the queue. >=20 >=20 > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >=20 |
