Dear all forumer, I had configured my Centos 9 stream to implement IPS with suricata. Everything run perfectly except the traffic is not directed to nftables yet.
This is my nftables firewall rules.
#!/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
# If you're not counting packets, this chain can be omitted.
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
I read the suricata official documentation where need to add following rules to the firewall ruleset but i don’t know how to translate it into format like above.
nft> add chain filter IPS { type filter hook forward priority 10;}
To send all forwarded packets to Suricata one can use
nft> add rule filter IPS queue
Hope someone can convert the command based add rule to correct syntax in file.
Please help. Thanks. A billion thanks for your help.
Please help me. This is very urgent.
Please help me in this topic as I really no clue on how to define the nft rule.
This is a free community forum, so people reply on topics if they have time and a good response. If you need urgent help, I would recommend to request paid commercial support.
Also please don’t push a topic within a few hours, this could result in your posts being removed or admins contacting you to stop that behavior.
To the initial post:
-
What version are you using and how does your config (suricata.yaml) look like?
-
Your ruleset is missing the nfqueue jumps like this for example:
iif "eth1" queue num 0-9 bypass,fanout
Suricata version: Suricata version 6.0.12 at /usr/sbin/suricata
Suricata.yaml
af-packet:
- interface: wlp59s0 (Wireless Interface) The rese is default values
- Can you provide me complete example of NFQUEUE jump rule which use to satisfy the IPS mode.
Please help. A billion thanks for your help.
How do you actually start Suricata?
You mention the af-packet section but above you’re talking about nftables. Those are two different methods of IPS mode. See 13. Setting up IPS/inline for Linux — Suricata 6.0.12 documentation and 13. Setting up IPS/inline for Linux — Suricata 6.0.12 documentation where you can also find examples. In addition to that, read the nftables manuals, for example Queueing to userspace - nftables wiki
I start suricata with this OPTIONS="-q 0 -vvv --user suricata
sudo systemctl enable suricata
Yes, I had read up the documentation, I go with IPS with netfilter. Please help me on this.
So did you add the related nftables section to use the queue number 0 as mentioned above?
I don’t know how to add nftables section for queue 0 at /etc/sysconfig/nftables.config