Hi all, I have a question about setting up iptables so I can send selected traffic to snort_inline using the QUEUE target. I'm writing a soon to be released (GPL) frontend to iptables. I'm adapting it now to support the QUEUE target for use with snort_inline. I want to give users the possibility to for example send only http traffic to snort_inline and let iptables handle the other traffic. So normal my rules are like this (simplified): iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT So a connection is accepted by the second rule and after that handled by the first. Well now the problem. When i want to send packets to the QUEUE target the above setup does not work. Because i don't want all traffic to go to snort_inline, i cant change the target of the established,related rule to QUEUE. I found a solution which works not entirely as i want. The following example will send http to snort, pop3 will be handled by iptables itself. iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 0x1 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -m mark --mark 0x1 -j QUEUE iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j QUEUE iptables -A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT Well this works... but not for ftp. Iptables has as you know a special helper module for ftp. I don't know how i can make ftp play well in this setup. Because the ftp connection opens other ports i can't use the mark ftp connections like this. So... any ideas, suggestions? BTW if in any way possible i want my application to work with an unpatched Debian Woody kernel... Regards, Victor
