Suricata with NFQ (using Suricata IDS/IPS after host pve firewall)

[CSoellinger]

Hi,

I'm trying to get suricata working with pve firewall at host level, but it won't work like i want. At the moment both is working but for my opinion in the wrong order. Cause it looks like suricata is acting before the pve firewall which is not right for me causeit only should detect and prevent on allowed traffic from the PVE firewall.

So what i've done is starting suricata with param "-q 0" to start it as NFQ runmode. Second i've set the suricata config to use bypass-mark and bypass-mask. Third i've added an iptables rule to forward it to suricata.

1.

/usr/bin/suricata -D -q 0 -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata/suricata.pid

2.

3. Note: I also tried to use -I instead of -A, doesn't matter

iptables -A FORWARD -m mark ! --mark 0x4/0x4 -j NFQUEUE

I always see blocks from many other ports, but only OpenVPN is an open port at the moment..

05/25/2018-21:31:15.907731  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 180.104.112.226:46403 -> ********:1433
05/25/2018-21:33:02.206115  [**] [1:2402000:4818] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 181.214.87.30:45680 -> ********:31566
05/25/2018-21:33:03.169543  [**] [1:2403332:40783] ET CINS Active Threat Intelligence Poor Reputation IP group 33 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 51.15.67.70:36724 -> ********:445

So my question is, am i right to insert it into FORWARD or should i put it into PVEFW-FORWARD?

Maybe some else already have it running like this:

internet --> pve-firewall --> suricata --> server

cheers,
Chris

 

[dietmar]

See https://pve.proxmox.com/wiki/Firewall#_suricata_ips_integration

 

[CSoellinger]

Thanks for the fast reply, but the tutorial from the wiki is about using IPS for an VM.
But i want exactly the same for the pve host. Using the same options at cluster.fw file is not possible so i've tried to find another way using a custom iptables rule. Or maybe another person already had the same problem and can give me a hint how to solve this.

At the moment i'm stucking at the point that suricata is running with capture mode nfq. I don't get any logs (tried a ICMP test rule for any) till i add the iptables rule to forward it. But if i add it suricata is checking all traffic and not just the ones which are accepted by the host firewall.

Commands i've run to add iptables rule:

iptables -N CHECK_IPS
iptables -A FORWARD -j CHECK_IPS
iptables -A CHECK_IPS -m mark ! --mark 4/4 -j NFQUEUE

My iptables looks like this:

# Generated by iptables-save v1.6.0 on Sun May 27 03:37:30 2018
*nat
:PREROUTING ACCEPT [75869:3762952]
:INPUT ACCEPT [105:6494]
:OUTPUT ACCEPT [92:6189]
:POSTROUTING ACCEPT [75073:3407329]
-A POSTROUTING -s 1.1.1.0/24 ! -d 1.1.1.0/24 -o enp4s0 -j MASQUERADE
-A POSTROUTING -s 1.1.1.0/24 ! -d 1.1.1.0/24 -o enp4s0 -j MASQUERADE
COMMIT
# Completed on Sun May 27 03:37:30 2018
# Generated by iptables-save v1.6.0 on Sun May 27 03:37:30 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CHECK_IPS - [0:0]
:GROUP-proxmox-IN - [0:0]
:GROUP-proxmox-OUT - [0:0]
:GROUP-vpnaccess-IN - [0:0]
:GROUP-vpnaccess-OUT - [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -i enp4s0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 1.1.1.0/24 -o enp4s0 -j ACCEPT
-A FORWARD -i enp4s0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 1.1.1.0/24 -o enp4s0 -j ACCEPT
-A FORWARD -j PVEFW-FORWARD
-A FORWARD -j CHECK_IPS
-A OUTPUT -j PVEFW-OUTPUT
-A CHECK_IPS -m mark ! --mark 0x4/0x4 -j NFQUEUE --queue-num 0
-A GROUP-proxmox-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-proxmox-IN -s 2.2.2.0/24 -d 2.2.2.0/24 -p udp -m udp --dport 5404:5405 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -s 2.2.2.0/24 -d 2.2.2.0/24 -p tcp -m tcp --dport 8006 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -s 2.2.2.0/24 -d 2.2.2.0/24 -p tcp -m tcp --dport 5900:5999 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -s 2.2.2.0/24 -d 2.2.2.0/24 -p tcp -m tcp --dport 111 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -s 2.2.2.0/24 -d 2.2.2.0/24 -p tcp -m tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -s 2.2.2.0/24 -d 2.2.2.0/24 -p tcp -m tcp --dport 3128 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -m comment --comment "PVESIG:1bhQCp8D64mzRYocww4hc/RmScI"
-A GROUP-proxmox-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-proxmox-OUT -m comment --comment "PVESIG:tZr2a960IhOJdtNbHplv0z6TvE0"
-A GROUP-vpnaccess-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-vpnaccess-IN -d 1.2.3.4/32 -p udp -m udp --dport 1194 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-vpnaccess-IN -s 1.1.1.0/24 -d 2.2.2.0/24 -p tcp -m tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-vpnaccess-IN -s 1.1.1.0/24 -d 2.2.2.0/24 -p tcp -m tcp --dport 8006 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-vpnaccess-IN -m comment --comment "PVESIG:x75Sq6zS5vvS+mkYlNuwwTEFsL4"
-A GROUP-vpnaccess-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-vpnaccess-OUT -m comment --comment "PVESIG:qrjZtee4ASRbbTpFjvgLtrN4zh4"
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ka4S8B0HM4A1RRtoso/euMz41l8"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -j GROUP-vpnaccess-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -j GROUP-proxmox-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -j GROUP-proxmox-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:CYOmncpgURwndQL1XtxPTCDXtJk"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j GROUP-vpnaccess-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -j GROUP-proxmox-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -j GROUP-proxmox-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:TM6mfXqpr6j5hXtNO3B5B3IWhPM"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j NFLOG --nflog-prefix  ":0:7:PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:xxngynQ61gj3oDwdvenmOrWc1Z4"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j NFLOG --nflog-prefix  ":0:7:PVEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:07iN6Ltw+eq1SF8lRxwoE+285nY"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Sun May 27 03:37:30 2018

However, it would be nice if we could enable suricata also on host level like at the VM level

cheers

 

[CSoellinger]

Okay i've found a way... not the best, but it works

# Create new chain
iptables -N CHECK_IPS

# Check all outgoing connections
iptables -A CHECK_IPS -s 1.1.1.1 -d 0/0 -m mark ! --mark 4/4 -j NFQUEUE

# Check incoming OpenVPN
iptables -A CHECK_IPS -p udp -s 0/0 --dport 1194 -m mark ! --mark 4/4 -j NFQUEUE

# Check incoming pings (only for testing)
iptables -A CHECK_IPS -p icmp --icmp-type 8 -s 0/0 -m mark ! --mark 4/4 -j NFQUEUE

# Check incoming host connections
iptables -I PVEFW-HOST-IN -j CHECK_IPS

# Check outcoming host connections
iptables -I PVEFW-HOST-OUT -j CHECK_IPS

So what i don't like here is that i've to create a new rule for every public open port at host level.

Please correct me if there is a better way to check combine PVE host firewall with suricat (or any other IPS).

cheers
Chris

 

[ye01]

Okay i've found a way... not the best, but it works

# Create new chain
iptables -N CHECK_IPS

# Check all outgoing connections
iptables -A CHECK_IPS -s 1.1.1.1 -d 0/0 -m mark ! --mark 4/4 -j NFQUEUE

# Check incoming OpenVPN
iptables -A CHECK_IPS -p udp -s 0/0 --dport 1194 -m mark ! --mark 4/4 -j NFQUEUE

# Check incoming pings (only for testing)
iptables -A CHECK_IPS -p icmp --icmp-type 8 -s 0/0 -m mark ! --mark 4/4 -j NFQUEUE

# Check incoming host connections
iptables -I PVEFW-HOST-IN -j CHECK_IPS

# Check outcoming host connections
iptables -I PVEFW-HOST-OUT -j CHECK_IPS

So what i don't like here is that i've to create a new rule for every public open port at host level.

Please correct me if there is a better way to check combine PVE host firewall with suricat (or any other IPS).

cheers
Chris

https://suricata.readthedocs.io/en/...l?highlight=nfq#setting-up-ips-with-netfilter