]> git.ipfire.org Git - people/mfischer/ipfire-2.x.git/blob - src/initscripts/system/suricata
projects / people / mfischer / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
suricata: Store bypass flag in connmark and restore
[people/mfischer/ipfire-2.x.git] / src / initscripts / system / suricata
1 #!/bin/sh
2 ########################################################################
3 # Begin $rc_base/init.d/suricata
4 #
5 # Description : Suricata Initscript
6 #
7 # Author : Stefan Schantl <stefan.schantl@ipfire.org>
8 #
9 # Version : 01.03
10 #
11 # Notes :
12 #
13 ########################################################################
14
15 . /etc/sysconfig/rc
16 . ${rc_functions}
17
18 PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
19
20 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
21 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
22
23 # Name of the firewall chains.
24 IPS_INPUT_CHAIN="IPS_INPUT"
25 IPS_FORWARD_CHAIN="IPS_FORWARD"
26 IPS_OUTPUT_CHAIN="IPS_OUTPUT"
27
28 # Optional options for the Netfilter queue.
29 NFQ_OPTS="--queue-bypass "
30
31 # Array containing the 4 possible network zones.
32 network_zones=( red green blue orange ovpn )
33
34 # Array to store the network zones weather the IPS is enabled for.
35 enabled_ips_zones=()
36
37 # Mark and Mask options.
38 REPEAT_MARK="0x80000000"
39 REPEAT_MASK="0x80000000"
40 BYPASS_MARK="0x40000000"
41 BYPASS_MASK="0x40000000"
42
43 # PID file of suricata.
44 PID_FILE="/var/run/suricata.pid"
45
46 # Function to get the amount of CPU cores of the system.
47 function get_cpu_count {
48 CPUCOUNT=0
49
50 # Loop through "/proc/cpuinfo" and count the amount of CPU cores.
51 while read line; do
52 [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++))
53 done </proc/cpuinfo
54
55 # Limit to a maximum of 16 cores, because suricata does not support more than
56 # 16 netfilter queues at the moment.
57 if [ $CPUCOUNT -gt "16" ]; then
58 echo "16"
59 else
60 echo $CPUCOUNT
61 fi
62 }
63
64 # Function to flush the firewall chains.
65 function flush_fw_chain {
66 # Call iptables and flush the chains
67 iptables -w -F "$IPS_INPUT_CHAIN"
68 iptables -w -F "$IPS_FORWARD_CHAIN"
69 iptables -w -F "$IPS_OUTPUT_CHAIN"
70 }
71
72 # Function to create the firewall rules to pass the traffic to suricata.
73 function generate_fw_rules {
74 cpu_count=$(get_cpu_count)
75
76 # Loop through the array of network zones.
77 for zone in "${network_zones[@]}"; do
78 # Convert zone into upper case.
79 zone_upper=${zone^^}
80
81 # Generate variable name for checking if the IDS is
82 # enabled on the zone.
83 enable_ids_zone="ENABLE_IDS_$zone_upper"
84
85 # Check if the IDS is enabled for this network zone.
86 if [ "${!enable_ids_zone}" == "on" ]; then
87 # Check if the current processed zone is "red" and the configured type is PPPoE dialin.
88 if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
89 # Set device name to ppp0.
90 network_device="ppp0"
91 elif [ "$zone" == "ovpn" ]; then
92 # Get all virtual net devices because the RW server and each
93 # N2N connection creates it's own tun device.
94 for virt_dev in /sys/devices/virtual/net/*; do
95 # Cut-off the directory.
96 dev="${virt_dev##*/}"
97
98 # Only process tun devices.
99 if [[ $dev =~ "tun" ]]; then
100 # Add the network device to the array of enabled zones.
101 enabled_ips_zones+=( "$dev" )
102 fi
103 done
104
105 # Process next zone.
106 continue
107 else
108 # Generate variable name which contains the device name.
109 zone_name="$zone_upper"
110 zone_name+="_DEV"
111
112 # Grab device name.
113 network_device=${!zone_name}
114 fi
115
116 # Add the network device to the array of enabled zones.
117 enabled_ips_zones+=( "$network_device" )
118 fi
119 done
120
121 # Assign NFQ_OPTS
122 NFQ_OPTIONS=$NFQ_OPTS
123
124 # Check if there are multiple cpu cores available.
125 if [ "$cpu_count" -gt "1" ]; then
126 # Balance beetween all queues.
127 NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
128 NFQ_OPTIONS+=" --queue-cpu-fanout"
129 else
130 # Send all packets to queue 0.
131 NFQ_OPTIONS+="--queue-num 0"
132 fi
133
134 # Flush the firewall chains.
135 flush_fw_chain
136
137 # Skip anything that has the bypass bit set
138 local chain
139 for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
140 iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN
141 done
142
143 # Check if the array of enabled_ips_zones contains any elements.
144 if [[ ${enabled_ips_zones[@]} ]]; then
145 # Loop through the array and create firewall rules.
146 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
147 # Create rules queue input and output related traffic and pass it to the IPS.
148 iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
149 iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
150
151 # Create rules which are required to handle forwarded traffic.
152 for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
153 iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
154 done
155 done
156
157 # Add common rules at the end of the chain
158 for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
159 # Clear repeat bit
160 iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
161
162 # Store bypass bit in CONNMARK
163 iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
164 done
165 fi
166 }
167
168 case "$1" in
169 start)
170 # Get amount of CPU cores.
171 cpu_count=$(get_cpu_count)
172
173 # Numer of NFQUES.
174 NFQUEUES="-q 0"
175
176 if [ $cpu_count -gt "1" ]; then
177 NFQUEUES+=":$(($cpu_count-1))"
178 fi
179
180 # Check if the IDS should be started.
181 if [ "$ENABLE_IDS" == "on" ]; then
182 # Start the IDS.
183 boot_mesg "Starting Intrusion Detection System..."
184 /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
185 evaluate_retval
186
187 # Allow reading the pidfile.
188 chmod 644 $PID_FILE
189
190 # Flush the firewall chain
191 flush_fw_chain
192
193 # Generate firewall rules
194 generate_fw_rules
195 fi
196 ;;
197
198 stop)
199 boot_mesg "Stopping Intrusion Detection System..."
200 killproc -p $PID_FILE /var/run
201
202 # Flush firewall chain.
203 flush_fw_chain
204
205 # Sometimes suricata not correct shutdown. So killall.
206 killall -KILL /usr/bin/suricata 2>/dev/null
207
208 # Remove suricata control socket.
209 rm /var/run/suricata/* >/dev/null 2>/dev/null
210
211 # Trash remain pid file if still exists.
212 rm -f $PID_FILE >/dev/null 2>/dev/null
213
214 # Don't report returncode of rm if suricata was not started
215 exit 0
216 ;;
217
218 status)
219 statusproc /usr/bin/suricata
220 ;;
221
222 restart)
223 $0 stop
224 $0 start
225 ;;
226 reload)
227 # Send SIGUSR2 to the suricata process to perform a reload
228 # of the ruleset.
229 kill -USR2 $(pidof suricata)
230
231 # Flush the firewall chain.
232 flush_fw_chain
233
234 # Generate firewall rules.
235 generate_fw_rules
236 ;;
237
238 *)
239 echo "Usage: $0 {start|stop|restart|reload|status}"
240 exit 1
241 ;;
242 esac
243
244 chmod 644 /var/log/suricata/* 2>/dev/null
245
246 # End $rc_base/init.d/suricata
Matthias' tree of IPFire 2.x