[SOLVED] NFQUEUE bypassing UFW rules

luzyork · November 27, 2024, 4:10pm

On a Debian 12 system, we successfully set up traffic to be routed through Suricata NFQUEUE. It all works. Traffic is being blocked and logged as we want it to, all according to suricata.rules, etc.

HOWEVER it seems that all traffic now completely circumvents the rest of our rules in UFW, and now all ports are open on our host(!). Everything not triggering a DROP in suricata.rules gets routed through.
(For example, if we run a test web-server on a random port, traffic gets through, although UFW polity is set to INPUT DROP and has very few ALLOW rules.)

With iptables -vL it is clear that traffic never reaches the UFW rule-sets in the firewall, all counters are zero.

Is there a way to pipe traffic back to the rest of the rule-sets in UFW firewall / iptables after being inspected by Suricata?

I guess it is as simple as adding a final -j rule to NFQUEUE or IPTABLES somewhere somehow, but I am not familiar enough with the syntax to see how to fix it.

All help very much appreciated.

Section added to /etc/ufw/before.rules:

### SURICATA ###
-I INPUT 1 -p tcp --dport 12345 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 12345 -j NFQUEUE --queue-bypass
-I FORWARD -j NFQUEUE
-I INPUT 2 -j NFQUEUE 
-I OUTPUT 2 -j NFQUEUE
### END SURICATA ###

Output of iptables -v -n -L --line-numbers:


Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     9028  548K NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 NFQUEUE num 0 bypass
2     123K   13M NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
3    1107K 1015M NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
4        0     0 NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 NFQUEUE num 0 bypass
5      441 61938 NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
6        0     0 NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 NFQUEUE num 0 bypass
7      369 57670 NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
8        0     0 NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 NFQUEUE num 0 bypass
9     447K  196M NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
10       0     0 NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 NFQUEUE num 0 bypass
11       0     0 ufw-before-logging-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
12       0     0 ufw-before-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
13       0     0 ufw-after-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
14       0     0 ufw-after-logging-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
15       0     0 ufw-reject-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
16       0     0 ufw-track-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
2    48715   68M NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
3        0     0 NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
4        0     0 NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
5    55366   79M NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
6        0     0 ufw-before-logging-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
7        0     0 ufw-before-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
8        0     0 ufw-after-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
9        0     0 ufw-after-logging-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
10       0     0 ufw-reject-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
11       0     0 ufw-track-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    13851 5725K NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:12345 NFQUEUE num 0 bypass
2     111K 8707K NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
3     920K  193M NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
4        0     0 NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:12345 NFQUEUE num 0 bypass
5      267  110K NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
6        0     0 NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:12345 NFQUEUE num 0 bypass
7      230  135K NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
8        0     0 NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:12345 NFQUEUE num 0 bypass
9     367K  117M NFQUEUE    0    --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
10       0     0 NFQUEUE    6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:12345 NFQUEUE num 0 bypass
11       0     0 ufw-before-logging-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
12       0     0 ufw-before-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
13       0     0 ufw-after-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
14       0     0 ufw-after-logging-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
15       0     0 ufw-reject-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
16       0     0 ufw-track-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0

(…) rest of UFW rules below, not pasted here.

luzyork · November 27, 2024, 4:57pm

(same problem mentioned here, but without any apparent solution: Iptables + NFQUEUE)

luzyork · November 28, 2024, 1:50am

Managed to solve this by adjusting nfq-section in suricata.yaml, and adjusting UFW before.rules:

In /etc/suricata/suricata.yaml change to

nfq:
  mode: repeat
  repeat-mark: 1
  repeat-mask: 1

in /etc/ufw/before.rules insert section:

### SURICATA ###
-I INPUT 1 -p tcp --dport 12345 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 12345 -j NFQUEUE --queue-bypass
-I INPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
-I FORWARD 1 -m mark ! --mark 1/1 -j NFQUEUE
-I OUTPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
### END SURICATA ###

(where 12345 is the ssh-port you want to bypass, so you keep access in case suricata goes down. If you do not need this, you can skip the first two lines)

Restart UFW and Suricata:

systemctl restart ufw.service
systemctl restart suricata.service

Explanation Suricata repeat- and route-mode here:

Topic		Replies	Views
Iptables + NFQUEUE Help ips , community	9	3799	November 28, 2024
Issues with Suricata Working as IDPS Help ips , rules	3	211	November 4, 2024
IPtables - NFQUEUE Issues Help	2	433	February 22, 2023
IPS rules http not match in NFQUEUE Help ips	4	57	August 10, 2024
Bypass-mark/bypass-mask not working in NFQ mode Help suricata , nfq	2	768	May 16, 2023

[SOLVED] NFQUEUE bypassing UFW rules

Related topics