Managed to solve this by adjusting nfq-section in suricata.yaml
, and adjusting UFW before.rules
:
In /etc/suricata/suricata.yaml
change to
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1
in /etc/ufw/before.rules
insert section:
### SURICATA ###
-I INPUT 1 -p tcp --dport 12345 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 12345 -j NFQUEUE --queue-bypass
-I INPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
-I FORWARD 1 -m mark ! --mark 1/1 -j NFQUEUE
-I OUTPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
### END SURICATA ###
(where 12345 is the ssh-port you want to bypass, so you keep access in case suricata goes down. If you do not need this, you can skip the first two lines)
Restart UFW and Suricata:
systemctl restart ufw.service
systemctl restart suricata.service
Explanation Suricata repeat- and route-mode here: