On Thursday 01 July 2004 3:56 pm, Victor Julien wrote:
> Hi all,
>
> I have a question about setting up iptables so I can send selected traffic
> to snort_inline using the QUEUE target.
>
> I'm writing a soon to be released (GPL) frontend to iptables. I'm adapting
>
> iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 0x1
>
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -m mark --mark 0x1
> -j QUEUE
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j QUEUE
> iptables -A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
>
> Well this works... but not for ftp. Iptables has as you know a special
> helper module for ftp. I don't know how i can make ftp play well in this
> setup. Because the ftp connection opens other ports i can't use the mark
> ftp connections like this.
>
> So... any ideas, suggestions?
You might find the new "helper" match does what you need? I'm not certain
because I haven't played with it, but it seems like a likely bet...
By the way, why are you doing all this in the OUTPUT chain?
I'm not quite sure that I see the purpose of running snort-inline on a single
machine. A router for a network, yes, but why on a standalone system?
Regards,
Antony.
--
Never automate fully anything that does not have a manual override capability.
Never design anything that cannot work under degraded conditions in emergency.
Please reply to the list;
please don't CC me.
