Snort Inline Mode (with NFQ) drop rule is not working

[turki <turki_00 () yahoo com>]

I am having a problem in configuring iptables for Snort (inline mode) using NFQUEUE with a single interface "eth0"

I am using the Snort box as a gateway to examine incoming traffic by redirecting it to the INPUT chain for the net 
filter table.
if no rule match (safe traffic), the traffic should be forwarded to another machine (local ip), otherwise Snort should 
drop the traffic.

As testing rule for dropping http packets:

drop tcp any any <> any 80 (content:"t.php"; msg:"help t.php"; sid:1000009;)

Snort is dropping the traffic as inline mode by defining the following rule in iptables without any problems:

iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE


However, when i want to forward the traffic to another ip, by defining the following rule in NAT table:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination InternalIP:80
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Snort will not be able to drop the traffic and it is immediately redirected to the other machine.

I need you help please.

Running environment:
Snort 2.9.0.5 (inline with NFQ and single NIC "eth0")
daq 0.5
barnyard2
Ubuntu 11.4

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger. 
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today. 
http://p.sf.net/sfu/quest-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users