diff mbox series

[20/20] firewall: Move the IPS after the NAT marking

Message ID	20240910143748.3469271-21-michael.tremer@ipfire.org
State	Accepted
Commit	525ff6d74dac833854dde69a152e98f1b5fd14d2
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 20/20] firewall: Move the IPS after the NAT marking Date: Tue, 10 Sep 2024 14:37:33 +0000 Message-Id: <20240910143748.3469271-21-michael.tremer@ipfire.org> In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: PVNPI75TQAWAW75SM5FRSICRAEZW4PID CC: Michael Tremer <michael.tremer@ipfire.org> Precedence: list Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/PVNPI75TQAWAW75SM5FRSICRAEZW4PID/>
Series	[01/20] suricata: Move the IPS into the mangle table \| [01/20] suricata: Move the IPS into the mangle table [02/20] initscripts: Fix bash function definitions in suricata [03/20] suricata: Use getconf to determine the number of processors [04/20] suricata: Remove some unused constants [05/20] suricata: Add whitelist to iptables [06/20] suricata: Replace removed CPU count function [07/20] suricata: Be more efficient with marks [08/20] suricata: Add a watcher to restart on unexpected termination [09/20] suricata: Start the new watcher in the background [10/20] suricata: Restore the interface selection [11/20] suricata: Remove superfluous bits from the initscript [12/20] suricata: Don't load /var/ipfire/ethernet/settings [13/20] suricata: Add option to scan WireGuard [14/20] suricata: Fix broken spacing in the settings section [15/20] ids.cgi: Use new style tables for rulesets [16/20] ids.cgi: Use new-style table for whitelist entries [17/20] ids.cgi: Sort whitelist entries [18/20] ids.cgi: Remove box from the top section [19/20] ids.cgi: Fix detection for the Suricata process [20/20] firewall: Move the IPS after the NAT marking

Commit Message

Michael Tremer 10 Sep 2024, 2:37 p.m. UTC

This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.

Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff mbox series

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5d37cffd7..7dbbe38cb 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -221,13 +221,6 @@  iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
-	# IPS (Suricata) chains
-	iptables -t mangle -N IPS
-
-	for chain in PREROUTING POSTROUTING; do
-		iptables -t mangle -A "${chain}" -j IPS
-	done
-
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
 	iptables -t nat -A POSTROUTING -j OVPNNAT
@@ -382,6 +375,13 @@  iptables_init() {
 			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi
 
+	# IPS (Suricata) chains
+	iptables -t mangle -N IPS
+
+	for chain in PREROUTING POSTROUTING; do
+		iptables -t mangle -A "${chain}" -j IPS
+	done
+
 	# RED chain, used for the red interface
 	iptables -N REDINPUT
 	iptables -A INPUT -j REDINPUT