- Suricata version 7.08
- Centos 7
The error message is as follows:
01/04/2025-00:28:42.507394 [] [1:2210045:2] SURICATA STREAM Packet with invalid ack [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.250:6788 → 192.168.11.99:1433
01/04/2025-00:28:42.507394 [] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.250:6788 → 192.168.11.99:1433
————————————————————————————————————————
iptables:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j NFQUEUE --queue-balance 0:3
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j NFQUEUE --queue-balance 0:3
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j NFQUEUE --queue-balance 0:3
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [309:30564]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [9:604]
:POSTROUTING ACCEPT [7:484]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [641:55601]
:INPUT ACCEPT [455:44043]
:FORWARD ACCEPT [13:780]
:OUTPUT ACCEPT [27:1684]
:POSTROUTING ACCEPT [25:1564]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
Completed on Fri Jan 3 11:30:03 2025
——————————————————————————————————————
The company’s HIS server 192.168.11.99 is connected to the Layer 3 switch with network segment 192.168.11.0
Another intranet CIDR block 192.168.1.0. Interfaces 192.168.1.245, 192.168.11.8 of the suricata gateway server (CentOS 7).
Traffic forwarding has been enabled and 192.168.1.0 can access 192.168.11.99 normally
Now iptables will error as soon as iptables -I FORWARD -j NFQUEUE is set.
The inline in suricata.yaml does not work regardless of whether you set yes or no
How do you set it up?