Configure Suricata IPS Mode with Nftables firewall rule

Support for security such as Firewalls and securing linux
Post Reply
nicholaswkc
Posts: 14
Joined: 2023/03/04 01:45:04

Configure Suricata IPS Mode with Nftables firewall rule

Post by nicholaswkc » 2023/05/24 08:38:27

Dear all forumer, I had configured my Centos 9 stream to implement IPS with suricata. Everything run perfectly except the traffic is not directed to nftables yet.
This is my nftables firewall rules.

/etc/sysconfig/nftables.config
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
counter comment "count dropped packets"
}

chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}

# If you're not counting packets, this chain can be omitted.
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
I read the suricata official documentation where need to add following rules to the firewall ruleset but i don’t know how to translate it into format like above.
nft> add chain filter IPS { type filter hook forward priority 10;}
To send all forwarded packets to Suricata one can use
nft> add rule filter IPS queue
Questions for Crowdsec:
From /etc/crowdsec/bouncer/crowdsec-firewall-bouncer.yaml.
There is
## nftables
nftables:
ipv4:
enabled: true
set-only: false
table: crowdsec
chain: crowdsec-chain
priority: -10
ipv6:
enabled: true
set-only: false
table: crowdsec6
chain: crowdsec6-chain
priority: -10
Do we need to create the table and chain according to the configuration. If yes, How?

Hope someone can convert the command based add rule to correct syntax in file.
Please help. Thanks. A billion thanks for your help.

User avatar
jlehtone
Posts: 4549
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Configure Suricata IPS Mode with Nftables firewall rule

Post by jlehtone » 2023/06/10 10:51:14

If you do run those two nft commands, that adds a chain with a rule.
https://access.redhat.com/documentation ... _and_rules
Then you will have two base chains hooked to forward:

Code: Select all

chain forward {
    type filter hook forward priority 0; policy drop;
    counter comment "count dropped packets"
}

chain IPS {
    type filter hook forward priority 10;
    queue
}
The default policy is 'accept'. However, the 'chain forward' has higher priority and policy 'drop',
so nothing will traverse 'chain IPS'. See https://wiki.nftables.org/wiki-nftables ... ing_chains

You don't need 'chain IPS'. You can add the rule to 'chain forward'.
Lets add counter, at least initially, to help "debugging":

Code: Select all

chain forward {
    type filter hook forward priority 0; policy drop;
    counter queue
    # by now all routed packets have been used by suricata, or dropped (if suricata does not run)
    # either way, the following counter should stay at 0
    counter comment "count dropped packets"
}

Post Reply