2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
25 PATH
=/usr
/local
/sbin
:/usr
/local
/bin
:/bin
:/usr
/bin
:/sbin
:/usr
/sbin
; export PATH
27 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/suricata
/settings
)
28 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/ethernet
/settings
)
30 # Name of the firewall chains.
31 IPS_INPUT_CHAIN
="IPS_INPUT"
32 IPS_FORWARD_CHAIN
="IPS_FORWARD"
33 IPS_OUTPUT_CHAIN
="IPS_OUTPUT"
35 # Optional options for the Netfilter queue.
36 NFQ_OPTS
="--queue-bypass "
38 # Array containing the 4 possible network zones.
39 network_zones
=( red green blue orange ovpn
)
41 # Array to store the network zones weather the IPS is enabled for.
44 # PID file of suricata.
45 PID_FILE
="/var/run/suricata.pid"
47 # Function to get the amount of CPU cores of the system.
48 function get_cpu_count
{
51 # Loop through "/proc/cpuinfo" and count the amount of CPU cores.
53 [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT
++))
56 # Limit to a maximum of 16 cores, because suricata does not support more than
57 # 16 netfilter queues at the moment.
58 if [ $CPUCOUNT -gt "16" ]; then
65 # Function to flush the firewall chains.
66 function flush_fw_chain
{
67 # Call iptables and flush the chains
68 iptables
-w -F "$IPS_INPUT_CHAIN"
69 iptables
-w -F "$IPS_FORWARD_CHAIN"
70 iptables
-w -F "$IPS_OUTPUT_CHAIN"
73 # Function to create the firewall rules to pass the traffic to suricata.
74 function generate_fw_rules
{
75 cpu_count
=$
(get_cpu_count
)
77 # Loop through the array of network zones.
78 for zone
in "${network_zones[@]}"; do
79 # Convert zone into upper case.
82 # Generate variable name for checking if the IDS is
83 # enabled on the zone.
84 enable_ids_zone
="ENABLE_IDS_$zone_upper"
86 # Check if the IDS is enabled for this network zone.
87 if [ "${!enable_ids_zone}" == "on" ]; then
88 # Check if the current processed zone is "red" and the configured type is PPPoE dialin.
89 if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
90 # Set device name to ppp0.
92 elif [ "$zone" == "ovpn" ]; then
93 # Get all virtual net devices because the RW server and each
94 # N2N connection creates it's own tun device.
95 for virt_dev
in /sys
/devices
/virtual
/net
/*; do
96 # Cut-off the directory.
99 # Only process tun devices.
100 if [[ $dev =~
"tun" ]]; then
101 # Add the network device to the array of enabled zones.
102 enabled_ips_zones
+=( "$dev" )
109 # Generate variable name which contains the device name.
110 zone_name
="$zone_upper"
114 network_device
=${!zone_name}
117 # Add the network device to the array of enabled zones.
118 enabled_ips_zones
+=( "$network_device" )
123 NFQ_OPTIONS
=$NFQ_OPTS
125 # Check if there are multiple cpu cores available.
126 if [ "$cpu_count" -gt "1" ]; then
127 # Balance beetween all queues.
128 NFQ_OPTIONS
+="--queue-balance 0:$(($cpu_count-1))"
129 NFQ_OPTIONS
+=" --queue-cpu-fanout"
131 # Send all packets to queue 0.
132 NFQ_OPTIONS
+="--queue-num 0"
135 # Flush the firewall chains.
138 # Check if the array of enabled_ips_zones contains any elements.
139 if [[ ${enabled_ips_zones[@]} ]]; then
140 # Loop through the array and create firewall rules.
141 for enabled_ips_zone
in "${enabled_ips_zones[@]}"; do
142 # Create rules queue input and output related traffic and pass it to the IPS.
143 iptables
-w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE
$NFQ_OPTIONS
144 iptables
-w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE
$NFQ_OPTIONS
146 # Create rules which are required to handle forwarded traffic.
147 for enabled_ips_zone_forward
in "${enabled_ips_zones[@]}"; do
148 iptables
-w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE
$NFQ_OPTIONS
156 # Get amount of CPU cores.
157 cpu_count
=$
(get_cpu_count
)
162 if [ $cpu_count -gt "1" ]; then
163 NFQUEUES
+=":$(($cpu_count-1))"
166 # Check if the IDS should be started.
167 if [ "$ENABLE_IDS" == "on" ]; then
169 boot_mesg
"Starting Intrusion Detection System..."
170 /usr
/bin
/suricata
-c /etc
/suricata
/suricata.yaml
-D $NFQUEUES >/dev
/null
2>/dev
/null
173 # Allow reading the pidfile.
176 # Flush the firewall chain
179 # Generate firewall rules
185 boot_mesg
"Stopping Intrusion Detection System..."
186 killproc
-p $PID_FILE /var
/run
188 # Flush firewall chain.
191 # Sometimes suricata not correct shutdown. So killall.
192 killall
-KILL /usr
/bin
/suricata
2>/dev
/null
194 # Remove suricata control socket.
195 rm /var
/run
/suricata
/* >/dev
/null
2>/dev
/null
197 # Trash remain pid file if still exists.
198 rm -f $PID_FILE >/dev
/null
2>/dev
/null
200 # Don't report returncode of rm if suricata was not started
205 statusproc
/usr
/bin
/suricata
213 # Send SIGUSR2 to the suricata process to perform a reload
215 kill -USR2 $
(pidof suricata
)
217 # Flush the firewall chain.
220 # Generate firewall rules.
225 echo "Usage: $0 {start|stop|restart|reload|status}"
230 chmod 644 /var
/log
/suricata
/* 2>/dev
/null