Iptables after forward is enabled

Help
, , ,
1
  • Suricata version 7.08
  • Centos 7
    The error message is as follows:
    01/04/2025-00:28:42.507394 [] [1:2210045:2] SURICATA STREAM Packet with invalid ack [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.250:6788 → 192.168.11.99:1433
    01/04/2025-00:28:42.507394 [] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.250:6788 → 192.168.11.99:1433
    ————————————————————————————————————————
    iptables:
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j NFQUEUE --queue-balance 0:3
    -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
    -A FORWARD -j NFQUEUE --queue-balance 0:3
    -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
    -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
    -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
    -A OUTPUT -j NFQUEUE --queue-balance 0:3
    -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
    COMMIT
    *nat
    :PREROUTING ACCEPT [309:30564]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [9:604]
    :POSTROUTING ACCEPT [7:484]
    -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
    -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
    -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
    -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
    COMMIT
    *mangle
    :PREROUTING ACCEPT [641:55601]
    :INPUT ACCEPT [455:44043]
    :FORWARD ACCEPT [13:780]
    :OUTPUT ACCEPT [27:1684]
    :POSTROUTING ACCEPT [25:1564]
    -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
    -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
    COMMIT

Completed on Fri Jan 3 11:30:03 2025

——————————————————————————————————————

The company’s HIS server 192.168.11.99 is connected to the Layer 3 switch with network segment 192.168.11.0

Another intranet CIDR block 192.168.1.0. Interfaces 192.168.1.245, 192.168.11.8 of the suricata gateway server (CentOS 7).

Traffic forwarding has been enabled and 192.168.1.0 can access 192.168.11.99 normally

Now iptables will error as soon as iptables -I FORWARD -j NFQUEUE is set.

The inline in suricata.yaml does not work regardless of whether you set yes or no

How do you set it up?

2

Its been awhile
Could be that queue statement is missing components
You havnt set the beginning state if I remember correct
Should be a mark in there
doesnt it have to be on the first line
it returns to the first line and increments
the increment makes it skip forward to the next line
Bypassing the queue statement
I am not sure about using qbalance

3

The problem has been solved, although not perfectly.

suricata.yaml
stream:
memcap: 64mb
#memcap-policy: ignore
checksum-validation: yes # reject incorrect csums
#midstream: false
#midstream-policy: ignore
inline: yes # auto will use inline mode in IPS mode, yes or no set it statically
drop-invalid: no
async-oneside: true
prealloc-sessions: 20000