{"id":1379,"date":"2026-04-13T23:38:37","date_gmt":"2026-04-13T21:38:37","guid":{"rendered":"https:\/\/ndk.sytes.net\/wordpress\/?p=1379"},"modified":"2026-04-15T23:26:10","modified_gmt":"2026-04-15T21:26:10","slug":"suricata-ips-for-running-server","status":"publish","type":"post","link":"https:\/\/ndk.sytes.net\/wordpress\/?p=1379","title":{"rendered":"Suricata IPS for running server"},"content":{"rendered":"\n<p>Make sure that suricata is started with &#8220;-q 0&#8221; parameter so it uses NFQUEUE!<\/p>\n\n\n\n<p>In&nbsp;<code>\/etc\/suricata\/suricata.yaml<\/code>&nbsp;change to:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nfq:<br>    mode: repeat<br>    repeat-mark: 1<br>    repeat-mask: 1<\/pre>\n\n\n\n<p>In&nbsp;<code>\/etc\/ufw\/before.rules<\/code> and&nbsp;<code>\/etc\/ufw\/before6.rules<\/code> insert section:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">### SURICATA ###<br>-I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass<br>-I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass<br>-I FORWARD 1 -m mark ! --mark 1\/1 -j NFQUEUE<br>-I INPUT 2 -m mark ! --mark 1\/1 -j NFQUEUE<br>-I OUTPUT 2 -m mark ! --mark 1\/1 -j NFQUEUE<br>### END SURICATA ###<\/pre>\n\n\n\n<p>In case you are on RHEL  or alike edit \/etc\/firewalld\/direct.xml:<\/p>\n\n\n\n<p>IPTABLES (passthrough):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?xml version=\"1.0\" encoding=\"utf-8\"?><br>&lt;direct><br>  &lt;passthrough ipv=\"ipv4\">-I INPUT 1 -p tcp --dport 22 -m mark ! --mark 1\/1 -j NFQUEUE --queue-bypass&lt;\/passthrough><br>  &lt;passthrough ipv=\"ipv6\">-I INPUT 1 -p tcp --dport 22 -m mark ! --mark 1\/1 -j NFQUEUE --queue-bypass&lt;\/passthrough><br>  &lt;passthrough ipv=\"ipv4\">-I INPUT 2 -m mark ! --mark 1\/1 -j NFQUEUE&lt;\/passthrough><br>  &lt;passthrough ipv=\"ipv6\">-I INPUT 2 -m mark ! --mark 1\/1 -j NFQUEUE&lt;\/passthrough><br>  &lt;passthrough ipv=\"ipv4\">-I OUTPUT 1 -m mark ! --mark 1\/1 -j NFQUEUE&lt;\/passthrough><br>  &lt;passthrough ipv=\"ipv6\">-I OUTPUT 1 -m mark ! --mark 1\/1 -j NFQUEUE&lt;\/passthrough><br>  &lt;passthrough ipv=\"ipv4\">-I FORWARD 1 -m mark ! --mark 1\/1 -j NFQUEUE&lt;\/passthrough><br>  &lt;passthrough ipv=\"ipv6\">-I FORWARD 1 -m mark ! --mark 1\/1 -j NFQUEUE&lt;\/passthrough><br>&lt;\/direct><\/pre>\n\n\n\n<p>NFTABLES (rule):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?xml version=\"1.0\" encoding=\"utf-8\"?><br>&lt;direct><br>  &lt;rule ipv=\"ipv4\" table=\"filter\" chain=\"INPUT\" priority=\"0\">-p tcp --dport 22 -j NFQUEUE --queue-bypass&lt;\/rule><br>  &lt;rule ipv=\"ipv4\" table=\"filter\" chain=\"INPUT\" priority=\"1\">-m mark '!' --mark 1\/1 -j NFQUEUE&lt;\/rule><br>  &lt;rule ipv=\"ipv4\" table=\"filter\" chain=\"OUTPUT\" priority=\"1\">-m mark '!' --mark 1\/1 -j NFQUEUE&lt;\/rule><br>  &lt;rule ipv=\"ipv6\" table=\"filter\" chain=\"INPUT\" priority=\"0\">-p tcp --dport 22 -j NFQUEUE --queue-bypass&lt;\/rule><br>  &lt;rule ipv=\"ipv6\" table=\"filter\" chain=\"INPUT\" priority=\"1\">-m mark '!' --mark 1\/1 -j NFQUEUE&lt;\/rule><br>  &lt;rule ipv=\"ipv6\" table=\"filter\" chain=\"OUTPUT\" priority=\"1\">-m mark '!' --mark 1\/1 -j NFQUEUE&lt;\/rule><br>  &lt;rule ipv=\"ipv4\" table=\"filter\" chain=\"FORWARD\" priority=\"0\">-m mark '!' --mark 1\/1 -j NFQUEUE&lt;\/rule><br>  &lt;rule ipv=\"ipv6\" table=\"filter\" chain=\"FORWARD\" priority=\"0\">-m mark '!' --mark 1\/1 -j NFQUEUE&lt;\/rule><br>&lt;\/direct><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Make sure that suricata is started with &#8220;-q 0&#8221; parameter so it uses NFQUEUE! In&nbsp;\/etc\/suricata\/suricata.yaml&nbsp;change to: nfq: mode: repeat repeat-mark: 1 repeat-mask: 1 In&nbsp;\/etc\/ufw\/before.rules and&nbsp;\/etc\/ufw\/before6.rules insert section: ### SURICATA ###-I INPUT 1 -p tcp &#8211;dport 22 -j NFQUEUE &#8211;queue-bypass-I OUTPUT 1 -p tcp &#8211;sport 22 -j NFQUEUE &#8211;queue-bypass-I FORWARD 1 -m mark ! &#8211;mark 1\/1 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1379","post","type-post","status-publish","format-standard","hentry","category-linuxunix"],"_links":{"self":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1379","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1379"}],"version-history":[{"count":7,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1379\/revisions"}],"predecessor-version":[{"id":1387,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1379\/revisions\/1387"}],"wp:attachment":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}