Simplify Suricata flow for OpenCanary forwarding#13
Closed
01rabbit wants to merge 5 commits intofeature/suricata-automationfrom
Closed
Simplify Suricata flow for OpenCanary forwarding#1301rabbit wants to merge 5 commits intofeature/suricata-automationfrom
01rabbit wants to merge 5 commits intofeature/suricata-automationfrom
Conversation
Changes: - Disabled nftables service and minimized /etc/nftables.conf - Migrated NAT rules to iptables (172.16.0.0/24, 172.16.10.0/24 MASQUERADE) - Updated installer scripts (setup_wireless.sh, install_azazel.sh) - Converted ai_policy_block.sh from nftables to iptables - Rewrote azazel_update_dnat.sh to use iptables DNAT - Deprecated nft_apply.sh with migration notice - Updated documentation (README.md, README_ja.md, scripts/README.md) - Added configs/nftables/README.md explaining the migration - Created iptables_save.sh for rule persistence - Updated OpenCanary config to use loopback (127.0.0.1:2222, 8081) - Updated docker-compose.yml to publish OpenCanary ports on all interfaces - Fixed traffic_control.py to avoid duplicate redirect entries - Added watch_eve_redirect.py and manual_monitor.sh for testing This resolves the issue where inet filter/forward policy drop was blocking Docker container traffic including OpenCanary SSH (port 2222).
Major improvements: - Fixed DNAT rules to properly redirect SSH (port 22 -> 2222) to OpenCanary container - Updated OpenCanary IP from loopback (127.0.0.1) to direct container IP (172.16.10.3) - Added interface specification (-i wlan1) to DNAT rules for external traffic only - Fixed port translation in iptables DNAT rules (--to-destination 172.16.10.3:2222) - Moved AI evaluation under notification cooldown control to prevent spam - Added idempotency check for DNAT redirects to prevent duplicate rules Technical changes: 1. traffic_control.py: Enhanced _try_add_iptables_dnat() with proper rule format 2. main_suricata.py: Moved notify_ai_analysis_async() inside should_notify() block 3. All config files: Updated canary IP to 172.16.10.3 and port to 2222 4. notify_config.py, delay_action.py: Updated default OpenCanary IP This ensures: - Attackers are properly redirected to honeypot regardless of their IP - Dynamic WAN interface detection via get_active_wan_interface() - No duplicate notifications/AI evaluations (60s cooldown respected) - Docker container networking compatibility
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Testing
ensure_nft_table_and_chainhelper inazazel_pi.core.enforcer.traffic_controlexpected by tests)Codex Task