Menu
▾
▴
[Snort-inline-users] FORWARD || OUTPUT
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-12 20:25:42
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm setting up/testing snort inline like so... PC ---x----(snort_inline)--------network (yes that's a x-over cable) Bridging seems to work. Output from 'snort -Qvc <configuration file>' shows headers so iptables should be sending traffic to the QUEUE and snort should be seeing it. 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 I'm just using a simple iptables script for testing... $IPTABLES -F $IPTABLES -X $IPTABLES -P FORWARD ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT $IPTABLES -N ssh-allowed-in $IPTABLES -F ssh-allowed-in $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -N ssh-allowed-out $IPTABLES -F ssh-allowed-out $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -j ssh-allowed-in $IPTABLES -A FORWARD -j QUEUE $IPTABLES -A OUTPUT -j ssh-allowed-out And in my snort.conf I'm just using any/any right now... var HOME_NET any var EXTERNAL_NET any And I'm NOT loading any rules. I thought if I did not load any rules traffic would enter the FORWARD chain and be sent to QUEUE. Since no rules are loaded nothing should be dropping packets and the traffic should be allowed out. I must be missing something though, because no traffic is getting through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the iptables script it works (obviously). To my untrained eye it looks like the traffic is getting stuck (for the lack of a better word) in QUEUE. What am i missing? Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCg7ufpmEqH5sLlmsRAmJAAJ9KtjylLX+Vmi6d6cfkzbA+ZBA0QQCeL7vL FIGsFSbBgw4WK6U/SroKmqo= =1+kE -----END PGP SIGNATURE----- |
