Suricata dont drop packets - ids

I have a server with Suricata (169.69.1.11) installed and a specific rule:
drop ICMP any any -> 169.69.1.11 any (msg: "ping dropped";sid:10001;)
In other VM I execute:
ping 169.69.1.11 -c 5
so at this point, everything is bad because the pings reach, and nothing is registered on fast.log so I execute on the Suricata machine
sudo suricata -i enp0s8
and I ping another time with the same command ( 5 pings )
In my other machine every seems okay, the 5 pings seems they reach, but I look at the logs on Suricata /var/log/suricata/fast.log it drops that line
03/25/2022-11:11:05.231735 [wDrop] [**] [1:10001:0] ping dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 169.69.1.10:8 -> 169.69.1.11:0
Why the pings are hitting and don't get blocked?
Why do I ping 5 times but only 1 time is logged?

My first problem is I didn't have Suricata IPS, first delete ur iptables rules with
sudo iptables -F
sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
sudo iptables -I FORWARD -j NFQUEUE
and execute the Suricata with -D to let as bg
sudo Suricata -q 0 -D

Related

Incoming Connections Getting Dropped with sshuttle running

I am running the traffic from my docker container through sshuttle to a remote server, which is working great with this command:
sshuttle -l 0.0.0.0 -r user#server 0/0 -v
The problem is that I need incoming connections to be allowed to reach my local server via the remote server's ip address and a specific port. I've tried creating an additional ssh tunnel via
ssh -NR 0.0.0.0:43523:localhost:43523
This almost works, as the incoming connections show up in the sshuttle verbose logs, but the connection never establishes (connection timed out from the client side).
Here are the iptables rules created by sshuttle at runtime:
iptables -t nat -N sshuttle-12300
iptables -t nat -F sshuttle-12300
iptables -t nat -I OUTPUT 1 -j sshuttle-12300
iptables -t nat -I PREROUTING 1 -j sshuttle-12300
iptables -t nat -A sshuttle-12300 -j RETURN -m ttl --ttl 63
iptables -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300
So my question is: What is causing the incoming connections to not work? And how can I fix it?

IPv6 forwarding on wireguard

I've been trying to set up a Wireguard VPN on my Dedibox at Scaleway for the past few days now, with limited success. First of all, IPv4 is working, so at least I am not hopelessly lost. Currently my peers are using private IPv4 addresses to talk to the server, which then nats them onto it's own public IP using iptables. Works great. Now I want to set up IPv6 too, but not using nat. I want to forward public IPv6 addresses assigned on my peers using ip6tables and use those to go over the internet, rather than using the Masquerade option like with IPv4.
I have so far had limited success in that field. I set up a little test environment in GNS3 and without Wireguard it's definitely possible to route IPv6 addresses using ip6tables (just to find out what rules to make, I am kind of new to iptables). Now I tried to do the same thing on my wireguard equipped server, but to no avail. My PostUp and PostDown are currently as follows (censoring out my IPv6 addresses):
PostUp:
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -I INPUT 1 -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -I INPUT 2 -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -I FORWARD 1 -o wg0 -j ACCEPT
ip6tables -t filter -I FORWARD 2 -i wg0 -j ACCEPT
PostDown:
iptables -D FORWARD -o wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -D INPUT -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -D INPUT -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -D FORWARD -o wg0 -j ACCEPT
ip6tables -t filter -D FORWARD -i wg0 -j ACCEPT
The public IPv6 range assigned to my main interface (enp0s20) is 2001:db8:abcd:100::/56, while I want to use 2001:db8:abcd:101::/64 for my Wireguard peers.
Another curious thing is that for some reason it appears as though I can ping between peers on this network, but that might be a fluke here, not exactly sure. I currently have both my workstation and smartphone on this network, and pinging between my workstation and smartphone works fine using the following command on Windows:
ping -6 -S 2001:db8:abcd:101::2 2001:db8:abcd:101::3
Where my workstation ends in 2 and my smartphone ends in 3.
I am at a total loss, anyone who could help me with this?

IPtables NAT/Masquerade to allow OpenStack instances to access sites external to the laptop they're running on

I have OpenStack running on a Fedora laptop. Openstack hates network interfaces that are managed by NetworkManager, so I set up a dummy interface that's used as the port for the br-ex interface that OpenStack allows instances to communicate through to the outside world. I can connect to the floating ips fine, but they can't get past the subnet that br-ex has. I'd like them to be to reach addresses external to the laptop. I suspect some iptables nat/masquerading magic is required. Does anyone have any ideas?
For Centos7 OpenStack with 3 nodes you should use networking:
just install net-tools and disable NetworkManager:
yum install net-tools -y;
systemctl disable NetworkManager.service
systemctl stop NetworkManager.service
chkconfig network on
Also You need IP tables no firewalld.
yum install -y iptables-services
systemctl enable iptables.service
systemctl disable firewalld.service
systemctl stop firewalld.service
For controller node have one NIC
For Network and compute nodes have 2 NICs
Edit interfaces on all nodes:
for Network eth0: ip:X.X.X.X (external) eth1:10.0.0.1 - no gateway
for Controller node eth0: ip:10.0.0.2 - gateway 10.0.0.1
for compute node eth0: ip:10.0.0.3 - gateway 10.0.0.1
Set up iptables like:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A POSTROUTING -o eth0-j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0-j ACCEPT
iptables -A FORWARD -i eth0-o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
service iptables save
Also enable forwarding. In file: /etc/sysctkl.conf add line:
net.ipv4.ip_forward = 1
And execute command:
sysctl –p
Should work.

couldn't access internet resource even if successfully connect to pptp vpn

I hire host which locate Tokyo as my vps server, and I follow this article to install pptp server
article about install pptp from digital ocean
and my vps ip >>> 107.191.60.187
in addtion, I install ufw and allow pptpd's port by this way
ufw allow 1723
ufw disable && ufw enable
but in fact I can't access internet resource even if I could successfully connect my pptpd program on vps.
I really don't know how to solve it : (
could anybody help me ..
thanks a lot.
just take commit for this question
before I make a mistake that set wrong iptabes rules, and then I resolve it by below method, it works.
#1. first I inspect status and remove ipesec server, it conflicts.
sudo service ipsec status
sudo apt remove ipsec xl2tpd
#2. then I look for port 1723 that judge whether it recive data package
sudo tcpdump -i eth0 port 1723
#3. finally I change rules by using iptabes clearly
sudo iptables -t nat -nL
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
#4. and save it
sudo iptables -t nat -S
sudo iptables-save -t nat
#5. modify content in file before.rules, confirm it as a daemon
sudo vi /etc/ufw/before.rules
# just like below this
*nat
:PREROUTING ACCEPT [73:5676]
:INPUT ACCEPT [6:1415]
:OUTPUT ACCEPT [7:431]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
that's all..

Iptables to modify source ip. Nothing in POSTROUTING chain log

Here is a little picture
Asterisk eth1 10.254.254.2/28------------- Many Good Guys
eth1:1 192.168.83.5/32----------- 192.168.59.3 Bad Guy Peer
I have an Asterisk which is connected with several peers. Some of them are connected through
eth1 and one the badest through alias eth1:1.
Then my asterisk send invite to peers it goes with the eth1 source. So for the bad guy I need to change my source ip to 192.168.83.5 As far as I know it can be done with iptables.
So I tried the rule
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j SNAT
--to 192.168.83.5
nothing happens.
When I log I can see send packets in INPUT and OUTPUT chains with :
iptables -t filter -A OUTPUT -o eth1 -s 10.254.254.2 -d 192.168.59.3
-j LOG --log-level 7 --log-prefix "OUTPUT"
iptables -t filter -A INPUT-i eth1 -s 192.168.59.3 -d 192.168.83.5 -j
LOG --log-level 7 --log-prefix "OUTPUT"
but I don’t see any in POSTROUTING chain with:
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j LOG
--log-level 7 --log-prefix "POSTROUTING"
That is I have nothing to SNAT(((
At the same time the traffic from other peers is visible in POSTROUTING log. What can it be?
Any thoughts, wishes, kicks would be very appreciated!
The solution has been found!!
I didn' t find a way to make my iptables work. But know i know how to do it without iptables at all.
So generally speaking my task was to modify|mask|replace my source ip of eth1 with eth1:1 ip.
By the way i use CentOS 5.8
And there is a command:
ip route add
which gives you ability to point scr address unlike the route command.
so
ip route add 192.168.59.3/32 via 10.254.254.1 dev eth1 src
192.168.83.5
is doing just what i need.
Thank you for attention!
That will not work. Reason is simple, asterisk will set in packet source addres=address of eth1.
You can start enother asterisk same host(with other config dir). I am sorry, i not know other simple variants.

Resources