Hello,

At which location (in which chain) should I insert the -p all -j QUEUE in iptables?
[Edit 18/10/05 if you lack time:
Answer seems to be in only one place. You might be best looking
a the bash code in post #6]

I want snort to inspect and drop suspicious packet "from" the firewall.
Help will be appreciated and I hope this thread will be educational
to any paranoid newbie out there.

I am running snort -Qdev -c /etc/snort.conf -h 192.68.0.1/24
(that is as snort-inline as Intrusion Prevention System). Shorewall version is recent, I think 2.4.x.
ip_queue is loaded. I have compiled snort with the inline option. Using community rules.

Now then, I have read quite a bit about iptables, and I understand roughly what
is going one when the chain are traversed (walked through).
I heard there is a QUEUE policy available for shorewall, but that is beyond
what I understand; I would like just to insert the QUEUE with an iptables command for now.

Question 1: Shall I insert QUEUE in the INPUT or OUTPUT section?
Is this insertion back into the stream, after user space (snort) automatic?
I have read that
<<QUEUE rules cause the connection request to be passed to user-space
-- the user-space application can later insert them back
into the stream for further processing by following rules.
at the output stage>>
In that case to decrease the overhead, inserting queue in the OUTPUT make sense. Is this correct?

I then decided to insert queue as the first item in the OUTPUT chain by doing this
iptables -I OUTPUT 1 -p all -j QUEUE
(I want all protocols to go to snort) An extract from iptables-save is below

This is working to some extent (web access still working, and a
local snort rule I setup to alert me that the pc is doing
a dns query on www.mandrake.com allowed me to check snort was working).

Question 2: Would it not make sense to insert the queue just before
-A OUTPUT -j Reject

Question 3: How do I test that the rest of the chains are still traversed?
Any other solution than inserting log requests in the iptables?

Question 4: How do I then test that snort (inline) is dropping packets when needed?
I heard of snot, http://www.sec33.com/sniph/. but it looks a commercial thing.

Thanks if you read all that :-) regards

Hi,
have you looked into the guardian reactice firewall mod? It does exactly what you want. I blocks all IPs which match a certain criteria in snort.

Thanks for the suggestion. I only vaguely heard about guardian
through googling for queue, iptables, snort etc.
I will bear the suggestion in mind; still want to sort this out so I learn a bit more about queues

[edit added 10/10/05]

I looked at iptables-save, then added the QUEUE at the top
of the chain INPUT and OUTPUT.
I inserted a log statement before and after the QUEUE,
and found that snort-inline did not send the packets
back for treatment in the iptables chain.

So I am left with changing all the accept to QUEUE.
I have tried to do it via the shorewall policy but failed.
I will try again.
QUEUE worked ok as a rule in shorewall, but this is not what
I want because I have very very few rules and the default
rules are DROP most of them

Some relevant posts
http://lists.shorewall.net/pipermail...ne/018826.html
http://lists.shorewall.net/pipermail...ch/017750.html

The default /etc/shorewall/policy file is as follows.

Head bang!

The thread below (quite interesting 05/2005?) mentions that QUEUE is doing a shortcut (i.e. the packets
go to userspace but do not come back to iptables for further processing)
"How to use PeerGuardian AND custom iptable rules"
http://forums.phoenixlabs.org/showthread.php?t=7233

I tried in many places to replace ACCEPT by QUEUE and add a log statement.
None of the of log statement worked when following a QUEUE statement.
That would corroborate the thread above.
I tried to append a new chain (iptables -N mychain) and have the QUEUE there,
still the same problem, iptable is not traversed.

The QUEUE policy is no good because I have only drop policies
(apart from the ping from the cableco).

I am left with 2 ideas
Adding a zone, so instead of having net --> firewall --> userspace
I would have net --> firewall -- anotherzone --> userspace
In that case I could have a policy firewall to anotherzone QUEUE everything.
But I do not know how to do that. And maybe it is not possible

I see only one practical solution
iptables-save
sed the output to change all the ACCEPT to QUEUE
iptables-restore

Anybody having ideas on the whole thing?

I am using iptables v1.2.9 and shorewall 2.4.5 stable
# modinfo ip_queue
filename: /lib/modules/2.6.11-6mdk/kernel/net/ipv4/netfilter/ip_queue.ko.gz
description: IPv4 packet queue handler
author: James Morris <jmorris@intercode.com.au>
license: GPL
vermagic: 2.6.11-6mdk 686 gcc-3.4

[edit added code draft to automatocally change accept to QUEUE in IPTABLES]

/filter/,$
Make no changes to the header of iptables-save (it contains keyword like accept).
Achieved by changing file from keyword filter to end of file
Then change ACCEPT into QUEUE provided the line does not contain
some given chains keyword like OUTPUT, INPUT, fw2, because there is no
need to queue these
Add some comments

moved at OP's request ...

Here is a script to make snort inline work with shorewall by selectively
changing ACCEPT to QUEUE.
It does work on my PC, but it is a rather simple implementation:
net ---> shorewall (iptables) ----- some type of packets accepted by shorewall -----> QUEUE ---> Snort inline ----> userspace
net ---> shorewall (iptables) -----other type of acceptable packets-----> ACCEPT---> userspace

The script does not implement any of these,
1) net ----> Snort inline ---> shorewall (iptables) ----- 1 type of acceptable packets -----> ACCEPT--->userspace
2) net ----> Snort IDS ---> nowhere

1) seems impossible,
2) could be added I suppose because one can run more than one instance of snort (option -G of snort)

This code goes in a script to store in /etc/rc.d/init.d/

[code]
#!/bin/sh
#
# Provided under gnu license. Free, just acknowledge authors.
# Version 0.01 by Emmanuel_uk

# Commands are:
#
# shorewallinline start Starts replace some ACCEPT in iptables by QUEUE commands
# shorewallinline restart Restarts replace some ACCEPT in iptables by QUEUE commands
# shorewallinline stop stop the queues and restart shorewall without snort inline

# chkconfig: 2345 25 90
# description: Option for the

### BEGIN INIT INFO
# Provides: shorewalinline
# Required-Start: $snortd
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops QUEUE from shorewall firewall to snort inline
### END INIT INFO

################################################################################
# Give Usage Information
#
################################################################################
usage() {
echo "Usage: $0 start|stop|restart"
exit 1
}

################################################################################
# E X E C U T I O N B E G I N S H E R E
#
################################################################################
command="$1"

case "$command" in

start|restart)
#very basic, no tests
service shorewall restart
mydate=`date`
echo $mydate
modprobe ip_queue
ip_queue_there=`lsmod | grep -i ip_queue | awk '{print $1}'`
service snortd restart
#snortd must have been configured with snort >2.3 with option -Q and compiled with --snort-inline
echo "Looking for ip_queue and found "ip_queue_there
touch /root/iptablebeforeinline.txt
# you may want to parametrise the path instead of using /root/
/sbin/iptables-save > /root/iptablebeforeinline.txt
#------ now the hard work ---------
sed -e '/filter/,${/OUTPUT\|INPUT\|fw2net/!s/ACCEPT/QUEUE
\#autoreplaced/}' \
-e "{s/#autoreplaced/\n& line above
$mydate/}" /root/iptablebeforeinline.txt > /root/iptableafterinline.txt
# Above change ACCEPT into queue, in all the file after keyword filter only,
# provided the iptables lines does not contain OUTPUT, INPUT OR fw2net. Your choice here
cat /root/iptableafterinline.txt | iptables-restore -c
# Above reload iptables new rules
;;

stop)

exec /sbin/shorewall restart
# Logic is we still want a firewall but not sending to snort via QUEUE
# do not even bother about killing snortd
;;
*)

usage
;;

esac

[\code]