[1/3] firewall: Use seperate firewall chains for passingtraffic to the IPS
Commit Message
Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
to be more flexible which kind of traffic should be passed to suricata.
Reference #12062
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
src/initscripts/system/firewall | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
@@ -186,10 +186,12 @@ iptables_init() {
iptables -A FORWARD -j GUARDIAN
# IPS (suricata) chains
- iptables -N IPS
- iptables -A INPUT -j IPS
- iptables -A FORWARD -j IPS
- iptables -A OUTPUT -j IPS
+ iptables -N IPS_INPUT
+ iptables -N IPS_FORWARD
+ iptables -N IPS_OUTPUT
+ iptables -A INPUT -j IPS_INPUT
+ iptables -A FORWARD -j IPS_FORWARD
+ iptables -A OUTPUT -j IPS_OUTPUT
# Block non-established IPsec networks
iptables -N IPSECBLOCK