[PVE-User] Proxmox Suricata Setup

Alexandre DERUMIER aderumier at odiso.com
Tue Dec 18 14:44:48 CET 2018


as you have configured nfqueue=2, do you have setup 

ips_queues: 2

?


----- Mail original -----
De: "Mark Kaye" <in_touch_uk at yahoo.co.uk>
À: "proxmoxve" <pve-user at pve.proxmox.com>
Envoyé: Mardi 18 Décembre 2018 10:54:23
Objet: [PVE-User] Proxmox Suricata Setup

Hi, 
I've followed the instructions for setting up Suricata on my Proxmox server as detailed at:https://pve.proxmox.com/wiki/Firewall 

However, no traffic is currently being filtered by Suricata to or from the VMs or containers (dns, http, fast logs show nothing). 
My /etc/default/suricata is: 
RUN=yesSURCONF=/etc/suricata/suricata.yaml 
LISTENMODE=nfqueue 
IFACE=eth0 
NFQUEUE=2TCMALLOC="YES"PIDFILE=/var/run/suricata.pid 
I have a OVS bond (bond0) setup with an OVS bridge (vmbr0) for the public interface. 
I've had to override the default Suricata systemd configuration in order to run the Suricata init script & thus the /etc/default/suricata configuration using the following: 
[Service]ExecStart=ExecStart=/etc/init.d/suricata startExecStop=ExecStop=/etc/init.d/suricata stop 

IPTABLES-------------- pkts bytes target prot opt in out source destination 0 0 PVEFW-reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4394086 13M PVEFW-DropBroadcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 3 234 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 44 4694 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 1617 90572 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */ 
Chain PVEFW-DropBroadcast (2 references) pkts bytes target prot opt in out source destination 2034 202K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST90388 13M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 1664 95500 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */ 
Chain PVEFW-FORWARD (1 references) pkts bytes target prot opt in out source destination 197 91271 PVEFW-IPS all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 76 5238 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED14773 1962K PVEFW-FWBR-IN all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in fwln+ --physdev-is-bridged 75 4358 PVEFW-FWBR-OUT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out fwln+ --physdev-is-bridged 75 4358 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:SObnoWmKDADnyocGfaX95tEgIRE */ 
Chain PVEFW-FWBR-IN (1 references) pkts bytes target prot opt in out source destination94086 13M PVEFW-smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW94086 13M veth100i0-IN all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out veth100i0 --physdev-is-bridged 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:4OE5DGCM8EKNLmQbkV3LIx5w1QM */ 
Chain PVEFW-FWBR-OUT (1 references) pkts bytes target prot opt in out source destination 170 9994 veth100i0-OUT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in veth100i0 --physdev-is-bridged 170 9994 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:lXaefvpIDNAYTJwiaBF5f1+faEw */ 
Chain PVEFW-HOST-IN (1 references) pkts bytes target prot opt in out source destination3551K 7022M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1289 51560 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID5599K 7971M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED3494K 606M PVEFW-smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 0 0 RETURN 2 -- * * 0.0.0.0/0 0.0.0.0/0 8672 451K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpt:8006 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpts:5900:5999 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpt:3128 21 4420 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpt:22 0 0 RETURN udp -- * * 192.168.1.0/24 192.168.1.0/24 udp dpts:5404:5405 0 0 RETURN udp -- * * 192.168.1.0/24 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST udp dpts:5404:54053486K 606M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:ALOh8WDdOmO5Ptu5R2nVTkfCuQE */ 
Chain PVEFW-HOST-OUT (1 references) pkts bytes target prot opt in out source destination3551K 7022M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 7 280 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID5686K 5074M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 20 800 RETURN 2 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN tcp -- * * 0.0.0.0/0 192.168.1.0/24 tcp dpt:8006 0 0 RETURN tcp -- * * 0.0.0.0/0 192.168.1.0/24 tcp dpt:22 0 0 RETURN tcp -- * * 0.0.0.0/0 192.168.1.0/24 tcp dpts:5900:5999 0 0 RETURN tcp -- * * 0.0.0.0/0 192.168.1.0/24 tcp dpt:3128 0 0 RETURN udp -- * * 0.0.0.0/0 192.168.1.0/24 udp dpts:5404:5405 435K 168M RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST udp dpts:5404:54053303K 487M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:RXafES/zd/ydTJpoGNqsst+Y1Ws */ 
Chain PVEFW-INPUT (1 references) pkts bytes target prot opt in out source destination2177K 2663M PVEFW-HOST-IN all -- * * 0.0.0.0/0 0.0.0.0/0 591K 102M all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */ 
Chain PVEFW-IPS (1 references) pkts bytes target prot opt in out source destination 121 86033 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out veth100i0 --physdev-is-bridged NFQUEUE num 0 bypass 76 5238 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:M9aJUBIEQiOQag1Lup5QtAbon7c */ 
Chain PVEFW-OUTPUT (1 references) pkts bytes target prot opt in out source destination 13M 13G PVEFW-HOST-OUT all -- * * 0.0.0.0/0 0.0.0.0/03738K 655M all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */ 
Chain PVEFW-Reject (0 references) pkts bytes target prot opt in out source destination 0 0 PVEFW-reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:43 0 0 PVEFW-DropBroadcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 PVEFW-reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 0 0 PVEFW-reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 PVEFW-reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 0 0 PVEFW-reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */ 
Chain PVEFW-SET-ACCEPT-MARK (2 references) pkts bytes target prot opt in out source destination 170 9994 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK or 0x80000000 170 9994 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */ 
Chain PVEFW-logflags (5 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */ 
Chain PVEFW-reject (6 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */ 
Chain PVEFW-smurflog (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */ 
Chain PVEFW-smurfs (2 references) pkts bytes target prot opt in out source destination 170 58821 RETURN all -- * * 0.0.0.0 0.0.0.0/0 0 0 PVEFW-smurflog all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST 0 0 PVEFW-smurflog all -- * * 224.0.0.0/4 0.0.0.0/0 [goto]3588K 619M all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */ 
Chain PVEFW-tcpflags (0 references) pkts bytes target prot opt in out source destination 0 0 PVEFW-logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x29 0 0 PVEFW-logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x00 0 0 PVEFW-logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x06/0x06 0 0 PVEFW-logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x03/0x03 0 0 PVEFW-logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0 flags:0x17/0x02 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */ 
Chain veth100i0-IN (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:6894086 13M PVEFW-Drop all -- * * 0.0.0.0/0 0.0.0.0/0 1617 90572 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:6d+rQEp2SN9HQCSdz1apldUWciw */ 
Chain veth100i0-OUT (1 references) pkts bytes target prot opt in out source destination 0 0 PVEFW-SET-ACCEPT-MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] udp spt:68 dpt:67 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! XX:XX:XX:XX:XX:XX 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ! match-set PVEFW-100-ipfilter-net0-v4 src 120 7057 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0x7fffffff 120 7057 PVEFW-SET-ACCEPT-MARK all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:6E+MZF3R6zzuBwUPvrw3GrGj9GQ */ 

Anybody got this working or have any advice? 
Cheers,Mark 
_______________________________________________ 
pve-user mailing list 
pve-user at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user 



More information about the pve-user mailing list