Menu
▾
▴
Re: [Snort-inline-users] Some Confuse about iptables
|
From: <tha...@gb...> - 2005-02-02 04:18:05
|
OK. i'm so clear now. Thank you very much. Regard, Thanasin > > > > > > > This all depends, Victor was correct and so was I ;-). In snort-2.2.0 we > implemented state tracking via iptables marks to track state. In which > case your state tracking is a combination of snort and iptables. It is > cleaner than it sounds. With 2.3.0 Victor and I worked with Dan from > sourcefire to implement a workaround in the stream4 preproc. So in 2.3.0 > you can use stream4 and if your sessions time out we now allow picking up > midstream sessions and we alert and drop on them. So in > snort_inline-2.2.0a you need to use ip_conntrack if you want to use > stream4 > and not have your sessions time out. If you are using snort-2.3.0 or soon > to be released snort_inline-2.3.0 you can send all traffic to snort and > stream4 will handle your connection tracking. Clear as mud? > > Regards, > > Will > > > > thanasin@gbtech.c > o.th > Sent by: To > snort-inline-user sno...@li...urceforg > s-...@li...u e.net > rceforge.net cc > > Subject > 02/01/2005 12:04 [Snort-inline-users] Some Confuse > AM about iptables > > > > > > > > > > > i've read from archives about using iptables with snort-inline and i've > some questions to ask. > > -- snip -- > > # > # Start IPTables Queue : > # > > echo "Start IPTables Queue Mode ..." > /sbin/modprobe ip_queue > /sbin/iptables -F > /sbin/iptables -A INPUT -i lo -j ACCEPT > /sbin/iptables -A OUTPUT -o lo -j ACCEPT > /sbin/iptables -A INPUT -i eth0 -j ACCEPT > /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT > /sbin/iptables -A INPUT -i eth1 -j ACCEPT > /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT > /sbin/iptables -A INPUT -j QUEUE > /sbin/iptables -A OUTPUT -j QUEUE > /sbin/iptables -A FORWARD -j QUEUE > /sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j > MARK --set-mark 1 > /sbin/iptables -t mangle -A FORWARD -p tcp -m state --state > RELATED,ESTABLISHED -j MARK --set-mark 2 > /sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE > /sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE > > -- snip -- > > This is my setting. > > first, Victor said on > https://sourceforge.net/mailarchive/forum.php?thread_id=6461942&forum_id=32933 > > that > > " You can just use: > > iptables -A FORWARD -j QUEUE > > This way you send all forwarded traffic to snort_inline, and you won"t > need ip_conntrack. " > > Do i have to choose between using ip_contrack or -j QUEUE ? > > OR Setting iptables like now is ok ? > > because i've a problem when using only "iptables -A FORWARD -j QUEUE" , it > make my connection session too short when i connect out to internet ( ssh > , irc )and Will told me to use ip_conntrack. I've set as Will told me like > > /sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j > MARK --set-mark 1 > /sbin/iptables -t mangle -A FORWARD -p tcp -m state --state > RELATED,ESTABLISHED -j MARK --set-mark 2 > /sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE > /sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE > > and it totally solve my problem. > > Regards, > Thanasin > > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting > Tool for open source databases. Create drag-&-drop reports. Save time > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. > Download a FREE copy at http://www.intelliview.com/go/osdn_nl > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
