Can I run suricata IPS both as a gateway and on the host itself?


I saw in the “Setting IPS/Inline for Linux” section of the documentation that I can either run suricata as a gateway or on the traffic generated by the host itself.
I was wondering if it would be possible to do them both, by passing both forward and in/output into nfqueue or if it will cause issues?

My usecase is restricting access to the network for my smart devices and IOT at home.

My solution right now is to restrict all access from the network, other than a proxy server that will run on the gateway (same device as suricata) I want to do this so devices can’t send out syns and acks to the original server, and can’t be used as part of syn attacks if they somehow got into someone’s botnet.

So I want to be able to filter both traffic being forwarded through the gateway and traffic originating from the gateway from the proxy and other services I will be running on it.

Would this cause issues? Or will it be able to deal with traffic from the different origins?

This can work, you might want to use the queue-bypass to make sure a Suricata restart doesn’t break the whole access or whitelist some traffic for management. Otherwise you might end up not being able to access the machine itself.


The plan is to add ssh rules from inside the network to allow management

Queue bypass so that traffic will flow if there isnt any userspace program handling the NFQ?

And if you mentioned bypass, what would be the most efficient way to bypass traffic for large sessions, like downloading from my SMB server or anything similar? The bypass action? Or should i do something else?

Yep, if Suricata is not running the packets would still go into the QUEUE and would get “lost”, thus the queue bypass option.

For big traffic you can look into Suricata User Guide — Suricata 7.0.1-dev documentation and check if either a bpf filter helps, pass rules on big traffic