Suricata IDS not getting external requests

M

mathedit

Active Member
Feb 10, 2017
5
1
43
34
Hello,

I managed to correctly configure the firewall with Proxmox 4.4 and its integration with Suricata (using this wiki page : https://pve.proxmox.com/wiki/Firewall#_tips_and_tricks).

I enabled the HTTP log in Suricata, but I only see inter-vm communications, and not the incoming requests made from the internet. That makes no sense to me as there is only one bridge (the second is not used) and all the VM are on it, if it goes from VM to VM, traffic from the internet should pass through Suricata as well.

Please note that the incoming requests are not blocked by the firewall, so they should go to Suricata.

The Suricata HTTP log should log the requests from everyone as long as it is addressed to the VM, right?

Do you have any hint on how to figure out what is wrong ?

Here are my ifconfig and iptables-save results :

Code: 
eth0      Link encap:Ethernet  HWaddr x:x:x:x:x:x
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:974463025 errors:0 dropped:83699 overruns:0 frame:0
          TX packets:1566775265 errors:0 dropped:0 overruns:0 carrier:0

fwbr100i0 Link encap:Ethernet  HWaddr x:x:x:x:x:x
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4901002 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
...
fwln100i0 Link encap:Ethernet  HWaddr x:x:x:x:x:x
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15037169 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6032695 errors:0 dropped:0 overruns:0 carrier:0

...
fwpr100p0 Link encap:Ethernet  HWaddr x:x:x:x:x:x
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6032695 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15037169 errors:0 dropped:0 overruns:0 carrier:0
...
lo        Link encap:Boucle locale
          inet adr:127.0.0.1  Masque:255.0.0.0
          adr inet6: ::1/128 Scope:Hôte
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:326639 errors:0 dropped:0 overruns:0 frame:0
          TX packets:326639 errors:0 dropped:0 overruns:0 carrier:0

tap100i0  Link encap:Ethernet  HWaddr x:x:x:x:x:x
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:7968393 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18489991 errors:0 dropped:0 overruns:0 carrier:0
...
vmbr0     Link encap:Ethernet  HWaddr x:x:x:x:x:x
          inet adr:xx.xx.xx.xx  Bcast:xx.xx.xx.xx  Masque:255.255.255.0
          adr inet6: fe80::a60:6eff:fe6a:457e/64 Scope:Lien
          adr inet6: xxxx:xxxx:xxxx:xxxx::/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:814305685 errors:0 dropped:0 overruns:0 frame:0
          TX packets:262091772 errors:0 dropped:0 overruns:0 carrier:0
Code: 
*filter
:INPUT ACCEPT [x:x]
:FORWARD ACCEPT [x:x]
:OUTPUT ACCEPT [x:x]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-IPS - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:tap100i0-IN - [0:0]
:tap100i0-OUT - [0:0]
...
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:xxxx"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:xxxx"
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:xxxx"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
...
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:xxxx"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT
...
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:xxxx"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s xx.xx.xx.xx/24 -d xx.xx.xx.xx/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s xx.xx.xx.xx/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:xxxx"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d xx.xx.xx.xx/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d xx.xx.xx.xx/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d xx.xx.xx.xx/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d xx.xx.xx.xx/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d xx.xx.xx.xx/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:xxxx"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:xxxx"
-A PVEFW-IPS -m physdev --physdev-out tap100i0 --physdev-is-bridged -j NFQUEUE --queue-num 0 --queue-bypass
...
-A PVEFW-IPS -m comment --comment "PVESIG:xxxx"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:xxxx"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:xxxx"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:xxxx"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:xxxx"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:xxxx"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:xxxx"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:xxxx"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:xxxx"
-A tap100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap100i0-IN -j NFQUEUE --queue-num 0 --queue-bypass
-A tap100i0-IN -m comment --comment "PVESIG:xxxx"
-A tap100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j DROP
-A tap100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m comment --comment "PVESIG:xxxx"
...
COMMIT
 
Last edited:
A quick note on my tests :

I tried to disable stream checksum validation as hinted by https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Frequently_Asked_Questions

Sometimes, under high flow (I volontarily spamed my network interface), I was having some of the requests showing up. I was also having strange behavior with null timestamp in logs, I ended up thinking Suricata was broken.

So I upgraded to the Backports version of Suricata, and now it looks like it works...
 
Actually the backport version of Suricata was ignoring /etc/defaults/suricata and was starting in af_packets mode (wich works fine but catchs all). If suricata is running with nfqueue, there is still the same problem.

What can be wrong in my iptables rules ?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back