csamsel · January 4, 2024 19:54
diff --git a/rules b/rules
 # I had a lot of trouble to debugging a non working portforwarding while using Suricata in IPS mode together with Shorewall.
 # The following configuration finally worked.
 #
 # Make sure that the tcp connection establishment is also NFQUEUE'd. 
 # The minus at the end of DNAT prevents an ACCEPT rule to be created along the DNAT rule, because we want an NFQUEUE rule instead.
 # 0:3,bypass refers to 4 queues with a bypass rule in case Suricata is not available.

 # Example for Plex with an internal port of 32400 and external port of 32411 (target 192.168.2.20)
 DNAT-:info      net             192.168.2.20:32400      tcp  32411
 NFQUEUE(0:3,bypass)     net     loc                     tcp  32400

 # Standard forwarding of Web Traffic (Port 80, 443; target (target 192.168.2.32)
 Web(DNAT-):info net                     192.168.2.32
 Web(NFQUEUE(0:3,bypass))        net     loc:192.168.2.32
	# I had a lot of trouble to debugging a non working portforwarding while using Suricata in IPS mode together with Shorewall.
	# The following configuration finally worked.
	#
	# Make sure that the tcp connection establishment is also NFQUEUE'd.
	# The minus at the end of DNAT prevents an ACCEPT rule to be created along the DNAT rule, because we want an NFQUEUE rule instead.
	# 0:3,bypass refers to 4 queues with a bypass rule in case Suricata is not available.

	# Example for Plex with an internal port of 32400 and external port of 32411 (target 192.168.2.20)
	DNAT-:info net 192.168.2.20:32400 tcp 32411
	NFQUEUE(0:3,bypass) net loc tcp 32400

	# Standard forwarding of Web Traffic (Port 80, 443; target (target 192.168.2.32)
	Web(DNAT-):info net 192.168.2.32
	Web(NFQUEUE(0:3,bypass)) net loc:192.168.2.32