How to setup Surciata-IDS between the Internet and web server?

I have a web server and I want to launch Suricata-IDS between the Internet and my web server. Something like below:

The Internet → Suricata-IDS → Web server

I have some questions:
1- On Suricata-IDS server I just need to enable “Forwarding” and “MASQUERADE”? For example:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth0 -o eth1 -m state -state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# iptables-save

2- In this mode, need Suricata-IDS any special changes in its configuration?
3- Should I install any web server software like Apache or etc on Suricata-IDS server?

Thank you.

Should I set the web server public IP address on the IDS/IPS server and it forward all requests to my web server with a local IP address?
I’m thankful if anyone provide some advice.


The MASQUERADE policy is usually applied by a router that has been assigned a dynamic IP under the influence of DHCP. Representatively, you can think of the WiFi AP in your home.

The mentioned topology configuration is too simple. If Suricata operates as a part of UTM, you can consider MASQUERADE in iptables, but this is not necessary for Suricata configuration.

For detailed policy, what topology is planned, L3 (Router), NAT, Suricata’s Inline or TAP (Mirror), etc. are required.

1 Like

Thank you for your info.
I have a web server and I don’t like to install Suricata-IDS on it. I want to dedicate a server for Suricata-IDS and it filter traffics, then forward it to my real server:

The Internet --> Suricata-IDS --> Apache Web Server

I don’t know how to configure Suricata-IDS for this scenario!

Minimal information is required for configuration.
Do you plan to run Suricata-IDS in IPS (Inline) Mode?
Is the Apache server’s IP public or private?

1 Like

If it is IPS (inline) mode and the Apache server is Public, it is recommended to use suricata’s af-packet configuration without iptables.

If you are already in a NAT (ex. Home Wifi) network environment, you can configure and use only af-packet without iptables in Suricata located behind NAT.

1 Like

The server that I dedicated to Suricata-IDS, not have any Apache. I want Suricata-IDS clean the traffic, then forward it to the Apache Server, thus Suricata-IDS has public IP and Apache server have a private IP.
I don’t know how to configure Suricata-IDS to do these tasks!

As Apache server uses private IP, it seems possible to configure suricata using af-packet in IPS (Inline) mode.

af-packet does not need iptables policy.

However, if the test environment uses a hypervisor such as Hyper-V or ESXi, the appropriate options must be applied on the switch of that hypervisor.

ex) Hypervisor Switch
Hyper-V: MAC Address Spoofing
ESXi: Promiscuous

1 Like

I know how to configure Suricata-IDS in IPS mode, but how my Suricata-IDS server must forward the traffics to the real Apache server after cleaned it? I think Suricata-IDS must act like a Reverse Proxy!!!

cleaned it?
what do you mean? Can you explain in detail?

I mean was protecting.
How Suricata-IDS server can handle the forwarding task?

A server with only Suricata-IDS installed acts like a bridge and filters packets. It doesn’t play a role for forwarding like routing or proxy. There is no need to act as a reverse proxy.
Why do you think the reverse proxy should work?

1 Like

Thank you.
I below diagram, how can requests reach the destination server?

The Internet --> Suricata-IDS --> Apache Web Server

How Suricata-IDS server forward the requests to the Apache Web Server?

Any idea about it?

Hi Jason,

Suricata in “IDS” mode will never forward packets. What you’re looking for is “IPS” mode where Suricata operates “in-line” receiving packets, processing them, and then releasing for transmit those packets that are not dropped.

See 13. Setting up IPS/inline for Linux — Suricata 6.0.2 documentation

1 Like