Menu
▾
▴
[Snort-inline-users] Restricted traffic, the Queue and iptables?
|
From: Holger M. <gan...@mo...> - 2005-08-29 14:39:18
|
Hi, 2 new Questions. 1.) Will wrote me, that an iptables-rule for HTTP traffic can look like that: $IPTABLES -t mangle -A FORWARD -p tcp --syn -m state --state NEW --dport 8080 -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -p tcp -m state --state ESTABLISHED --sport 8080 -j MARK --set-mark 2 $IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE $IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE I want to restrict the traffic from both sides. So i want only start httpsessions from inside. My old rule looked like that: $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTERN_ETH -p tcp -o $EXTERN_ETH --dport 8080 -m state --state NEW -j ACCEPT For me it seems ,that now are syns (initaing a http session) from both sides are possible. In the syngress book i read that some attitudes are made by chosing the "var_net" - Variables. So have i to change the rule like that: $IPTABLES -t mangle -A FORWARD -p tcp -s INTERN_ETH --syn -d EXTERN_ETH --dport 8080 / -m state --state NEW -j MARK --set-mark 1 Or do snort-inline restrict that by himself if i decared my Homenet and Externalnet? 2.) And is there still a possibility to log with iptables like that: $IPTABLES -N acceptNlog $IPTABLES -t mangle -A FORWARD -p tcp --syn -m state --state NEW --dport 8080 -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -p tcp -m state --state ESTABLISHED --sport 8080 -j MARK --set-mark 2 $IPTABLES -I FORWARD -m mark --mark 1 -j acceptNlog $IPTABLES -I FORWARD -m mark --mark 2 -j acceptNlog $IPTABLES -A acceptNlog -j log --prefix "Accepted by FW and given to Snort-Inline: " $IPTABLES -A acceptNlog -j QUEUE I'm not sure with that.... I know that is not a Snort-inline speciffic problem, and i hope that i not to bother you with my "beginner-questions". Thank you Best regards. Holger |
