From patchwork Tue Sep 10 14:37:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8102 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sq2XfCz3wdh for ; Tue, 10 Sep 2024 14:38:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sl4X1Fz6C8; Tue, 10 Sep 2024 14:38:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sl3zpjz34G3; Tue, 10 Sep 2024 14:38:19 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ0g56z34Gg for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH71B9z5t1; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH2KXQzTvfm; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 20/20] firewall: Move the IPS after the NAT marking Date: Tue, 10 Sep 2024 14:37:33 +0000 Message-Id: <20240910143748.3469271-21-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: PVNPI75TQAWAW75SM5FRSICRAEZW4PID X-Message-ID-Hash: PVNPI75TQAWAW75SM5FRSICRAEZW4PID X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is because we might still land in the scenario where Suricata crashes and NFQUEUE will simply ACCEPT all packets which will terminate the processing of the mangle table. Therefore the NFQUEUE rule should be the last one so that we never skip any of the other processing. Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 5d37cffd7..7dbbe38cb 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -221,13 +221,6 @@ iptables_init() { iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK - # IPS (Suricata) chains - iptables -t mangle -N IPS - - for chain in PREROUTING POSTROUTING; do - iptables -t mangle -A "${chain}" -j IPS - done - # OpenVPN transfer network translation iptables -t nat -N OVPNNAT iptables -t nat -A POSTROUTING -j OVPNNAT @@ -382,6 +375,13 @@ iptables_init() { -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" fi + # IPS (Suricata) chains + iptables -t mangle -N IPS + + for chain in PREROUTING POSTROUTING; do + iptables -t mangle -A "${chain}" -j IPS + done + # RED chain, used for the red interface iptables -N REDINPUT iptables -A INPUT -j REDINPUT