avoid emitting VPN traffic to the internet if the IPS crashed
Commit Message
Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
OpenVPN) destinations was emitted to the internet (ppp0 or red0
interface) directly if the IPS was enabled but crashed during operation.
This patch places the IPSECBLOCK and OVPNBLOCK chains before the
ones responsible for forwarding traffic into the IPS.
Thanks to Michael for his debugging effort.
Partially fixes #12257
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
src/initscripts/system/firewall | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
Comments
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
> On 27 Jan 2020, at 15:04, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
> OpenVPN) destinations was emitted to the internet (ppp0 or red0
> interface) directly if the IPS was enabled but crashed during operation.
>
> This patch places the IPSECBLOCK and OVPNBLOCK chains before the
> ones responsible for forwarding traffic into the IPS.
>
> Thanks to Michael for his debugging effort.
>
> Partially fixes #12257
>
> Cc: Michael Tremer <michael.tremer@ipfire.org>
> Cc: Stefan Schantl <stefan.schantl@ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> src/initscripts/system/firewall | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index ec396c708..ab144ea18 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -185,14 +185,6 @@ iptables_init() {
> iptables -A INPUT -j GUARDIAN
> iptables -A FORWARD -j GUARDIAN
>
> - # IPS (suricata) chains
> - iptables -N IPS_INPUT
> - iptables -N IPS_FORWARD
> - iptables -N IPS_OUTPUT
> - iptables -A INPUT -j IPS_INPUT
> - iptables -A FORWARD -j IPS_FORWARD
> - iptables -A OUTPUT -j IPS_OUTPUT
> -
> # Block non-established IPsec networks
> iptables -N IPSECBLOCK
> iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
> @@ -204,6 +196,14 @@ iptables_init() {
> iptables -A FORWARD -i tun+ -j OVPNBLOCK
> iptables -A FORWARD -o tun+ -j OVPNBLOCK
>
> + # IPS (suricata) chains
> + iptables -N IPS_INPUT
> + iptables -N IPS_FORWARD
> + iptables -N IPS_OUTPUT
> + iptables -A INPUT -j IPS_INPUT
> + iptables -A FORWARD -j IPS_FORWARD
> + iptables -A OUTPUT -j IPS_OUTPUT
> +
> # OpenVPN transfer network translation
> iptables -t nat -N OVPNNAT
> iptables -t nat -A POSTROUTING -j OVPNNAT
> --
> 2.16.4
@@ -185,14 +185,6 @@ iptables_init() {
iptables -A INPUT -j GUARDIAN
iptables -A FORWARD -j GUARDIAN
- # IPS (suricata) chains
- iptables -N IPS_INPUT
- iptables -N IPS_FORWARD
- iptables -N IPS_OUTPUT
- iptables -A INPUT -j IPS_INPUT
- iptables -A FORWARD -j IPS_FORWARD
- iptables -A OUTPUT -j IPS_OUTPUT
-
# Block non-established IPsec networks
iptables -N IPSECBLOCK
iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
@@ -204,6 +196,14 @@ iptables_init() {
iptables -A FORWARD -i tun+ -j OVPNBLOCK
iptables -A FORWARD -o tun+ -j OVPNBLOCK
+ # IPS (suricata) chains
+ iptables -N IPS_INPUT
+ iptables -N IPS_FORWARD
+ iptables -N IPS_OUTPUT
+ iptables -A INPUT -j IPS_INPUT
+ iptables -A FORWARD -j IPS_FORWARD
+ iptables -A OUTPUT -j IPS_OUTPUT
+
# OpenVPN transfer network translation
iptables -t nat -N OVPNNAT
iptables -t nat -A POSTROUTING -j OVPNNAT