Menu
▾
▴
[Snort-inline-users] Disappearing packets?
|
From: Peter K. L. <sa...@co...> - 2004-08-02 21:07:20
|
I want to find out whether I'm doing something wrong, or it's just broken... Here's the setup: kernel 2.6.7, iptables 1.2.11, snort_inline 2.1.3b NOT running in bridge mode. The box is a NAT router/firewall. The system has been verified to be functional via the following test: iptables -t filter -A INPUT -i eth0 -p tcp --dport 1234 -j QUEUE on the box: 'nc -l -p 1234' snort_inline running with 1 snort signature set to 'alert' incoming connection to port 1234. from external box: 'telnet xxx.xxx.xxx.xxx 1234' I'm able to communicate with the 'nc server' process on the box and have it go through iptables, snort_inline, etc. with all the proper logging details. HOWEVER, let's say that I change the iptables rule to be this: iptables -t filter -A INPUT -i eth0 -j QUEUE where I want ALL input request to go to snort_inline. if 'external box' makes incoming request, it works fine (as shown above), but when I'm on the box itself, and I make an outbound connection (let's say to google), then: TO PATH looks okay. Google gets the packet and sends a response. RETURN PATH is NOT okay. Google -> my box -> iptables -> INPUT -> QUEUE -> snort_inline -> ??? iptables sees it, snort_inline sees it, and then the requesting application never receives the packet. It gets lost somewhere between snort_inline and the application. It's completely bizarre. It also happens when I put the snort_inline between the FORWARD CHAIN, like this: iptables -t filter -A FORWARD -i eth1 -o eth0 -j QUEUE iptables sees it, snort_inline sees it, and then the packet disappears. Am I doing something wrong? Where does the packet go after snort_inline takes a look at the data from the QUEUE??? Thanks, -Peter |
