Re: [Snort-inline-users] correcting snort_inline blocking ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

i set iptables like this

#
# Start IPTables Queue :
#

echo "Start IPTables Queue Mode ..."
/sbin/modprobe ip_queue
/sbin/iptables -F
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
/sbin/iptables -A INPUT -j QUEUE
/sbin/iptables -A OUTPUT -j QUEUE
#/sbin/iptables -A FORWARD -j QUEUE
/sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
MARK --set-mark 1
/sbin/iptables -t mangle -A FORWARD -p tcp -m state --state
RELATED,ESTABLISHED -j MARK --set-mark 2
/sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
/sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE

do i have to enable /sbin/iptables -A FORWARD -j QUEUE

because Will told me like this from
https://sourceforge.net/mailarchive/message.php?msg_id=10422612

-- snip --

iptables rules......

 iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
 MARK --set-mark 1
 iptables -t mangle -A FORWARD -p tcp -m state --state
 RELATED,ESTABLISHED -j MARK --set-mark 2
 iptables -I FORWARD -m mark --mark 1 -j QUEUE
 iptables -I FORWARD -m mark --mark 2 -j QUEUE

 tell stream4 about state tracking via snort.conf iptablesnewmark
 defaults to 1, iptablesestmark defaults to 2...........

 preprocessor stream4: disable_evasion_alerts, iptablesnewmark,
 iptablesestmark, forceiptstate

 Regards,

 Will

-- snip --

is there any files relate else ?

sorry for my english.

Regards,
Thanasin

>
>
>> my snort_inline box is working by capture every anomally traffic ex.
>> virus, exploit ... etc.
>>
>> but when i was try to download virus from outside, it alert only but not
>> block that virus. so where should i check or have a look in order to let
>> my snort_inline box block all virus traffics ?
>>
>> Regards,
>> Thanasin
>>
>>
>>
>> -------------------------------------------------------
>> The SF.Net email is sponsored by: Beat the post-holiday blues
>> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
>