Forward traffic to Suricata, NFQUEUE, PVEFW-IPS

bfwdd · Jan 31, 2022

I am actually trying to link Pve-IPS output to suricata. I am running suricata using the NFQ mode and im sending traffic to suricata with the gateway-scenario using the following cmd: # iptables -I FORWARD -j PVEFW-IPS

The problem is every time i restart the host the added rule is gone (-A FORWARD -j PVEFW-IPS) and there is no rules-file where i can modify it directly. It seems that proxmox generate the rules directly.

Any idea how can i solve this issue ??
Thanks

spirit · Feb 1, 2022

you could add a rules in /etc/network/interfaces for example

"post-up iptables ...."

(Like for nat, check the forum).

BTW,
proxmox firewall support it natively:

https://pve.proxmox.com/wiki/Firewall

Code:

# /etc/pve/firewall/<VMID>.fw

[OPTIONS]
ips: 1
ips_queues: 0

bfwdd · Feb 1, 2022

spirit said:
you could add a rules in /etc/network/interfaces for example

"post-up iptables ...."

(Like for nat, check the forum).

BTW,
proxmox firewall support it natively:

https://pve.proxmox.com/wiki/Firewall

Code:

# /etc/pve/firewall/<VMID>.fw [OPTIONS] ips: 1 ips_queues: 0

I tried this but, it seems that "post-up " runs before the iptables service so the rule will not be added to the table chain

bfwdd · Feb 10, 2022

it looks like this
post-up iptables -I PVEFW-IPS -m physdev --physdev-is-out -j NFQUEUE --queue-bypass

Search

Search

Forward traffic to Suricata, NFQUEUE, PVEFW-IPS

bfwdd

Renowned Member

spirit

Distinguished Member

bfwdd

Renowned Member

bfwdd

Renowned Member

We value your privacy