[SOLVED] Process migrating from IDS to IPS

Dear all,

on my nginx server, I installed suricata.
It works fine - as long as I use it as a IDS.

Now, I try to understand the migration process IDS → IPS

First, I tried the iptables way:

iptables -I FORWARD -j NFQUEUE

Of course, I started suricata using “-q 0”
However, no more detections! suricata stays silent.

In my /etc/suricata/suricata.yaml, I use:
mode accept
fail-open yes

Then, I tried the nftables way:

#!/usr/sbin/nft -f

# chain declaration
add chain filter IPS { type filter hook forward priority 10;}

# rule declaration
add rule filter IPS queue

Yet again, suricata stays silent.

In IDS mode, it works as requested.
In IPS mode, it just stays silent.

Anyone able to give me a helping hand?
Which part didn’t I understand correctly?

Kind regards,

Looks like when I use

iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE

instead of

iptables -I FORWARD -j NFQUEUE

suricata works as expected.