From patchwork Tue Sep 10 14:37:33 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 8102
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sq2XfCz3wdh
	for <patchwork@web04.haj.ipfire.org>; Tue, 10 Sep 2024 14:38:23 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sl4X1Fz6C8;
	Tue, 10 Sep 2024 14:38:19 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sl3zpjz34G3;
	Tue, 10 Sep 2024 14:38:19 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ0g56z34Gg
	for <development@lists.ipfire.org>; Tue, 10 Sep 2024 14:37:56 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits)
	 client-signature ECDSA (secp384r1))
	(Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH71B9z5t1;
	Tue, 10 Sep 2024 14:37:55 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
	id 4X35sH2KXQzTvfm; Tue, 10 Sep 2024 14:37:55 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 20/20] firewall: Move the IPS after the NAT marking
Date: Tue, 10 Sep 2024 14:37:33 +0000
Message-Id: <20240910143748.3469271-21-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org>
References: <20240910143748.3469271-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: PVNPI75TQAWAW75SM5FRSICRAEZW4PID
X-Message-ID-Hash: PVNPI75TQAWAW75SM5FRSICRAEZW4PID
X-MailFrom: root@michael.haj.ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Michael Tremer <michael.tremer@ipfire.org>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/PVNPI75TQAWAW75SM5FRSICRAEZW4PID/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.

Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5d37cffd7..7dbbe38cb 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -221,13 +221,6 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
-	# IPS (Suricata) chains
-	iptables -t mangle -N IPS
-
-	for chain in PREROUTING POSTROUTING; do
-		iptables -t mangle -A "${chain}" -j IPS
-	done
-
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
 	iptables -t nat -A POSTROUTING -j OVPNNAT
@@ -382,6 +375,13 @@ iptables_init() {
 			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi
 
+	# IPS (Suricata) chains
+	iptables -t mangle -N IPS
+
+	for chain in PREROUTING POSTROUTING; do
+		iptables -t mangle -A "${chain}" -j IPS
+	done
+
 	# RED chain, used for the red interface
 	iptables -N REDINPUT
 	iptables -A INPUT -j REDINPUT