suricata: Split marking packets off into a separate chain

author Michael Tremer <michael.tremer@ipfire.org>

Sun, 22 Sep 2024 15:06:21 +0000 (17:06 +0200)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 24 Sep 2024 08:45:26 +0000 (08:45 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Sun, 22 Sep 2024 15:06:21 +0000 (17:06 +0200)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 24 Sep 2024 08:45:26 +0000 (08:45 +0000)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall

index be52ff88f0036dbe6b734882899beb7dba2e5c99..139d94aa0cad43e00747a694cfffd1b0f5b3c9ac 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -378,6 +378,13 @@ iptables_init() {
         # IPS (Suricata) chains
         iptables -t mangle -N IPS
         iptables -t mangle -N IPS_CLEAR
+       iptables -t mangle -N IPS_SCAN_IN
+       iptables -t mangle -N IPS_SCAN_OUT
+
+       iptables -t mangle -A INPUT   -j IPS_SCAN_IN
+       iptables -t mangle -A FORWARD -j IPS_SCAN_IN
+       iptables -t mangle -A FORWARD -j IPS_SCAN_OUT
+       iptables -t mangle -A OUTPUT  -j IPS_SCAN_OUT
  
         for chain in INPUT FORWARD OUTPUT; do
                 iptables -t mangle -A "${chain}" -j IPS
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata

index 2cfdc8ae4e7ae83c2a3f5befca327414e11ff289..e366375baba3ca8ba5efd428f5ed1d14bb2bb388 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -56,6 +56,8 @@ NFQ_OPTS=(
  flush_fw_chain() {
         iptables -w -t mangle -F IPS
         iptables -w -t mangle -F IPS_CLEAR
+       iptables -w -t mangle -F IPS_SCAN_IN
+       iptables -w -t mangle -F IPS_SCAN_OUT
  }
  
  # Function to create the firewall rules to pass the traffic to suricata.
@@ -93,7 +95,10 @@ generate_fw_rules() {
                 -j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))"
  
         # Don't process packets that have already been seen by the IPS
-       iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
+       for chain in IPS IPS_SCAN_IN IPS_SCAN_OUT; do
+               iptables -w -t mangle -A "${chain}" \
+                       -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
+       done
  
         local zone
         local status
@@ -111,8 +116,10 @@ generate_fw_rules() {
                                 continue
                         fi
  
-                       iptables -w -t mangle -A IPS -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
-                       iptables -w -t mangle -A IPS -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                       iptables -w -t mangle -A IPS_SCAN_IN \
+                               -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                       iptables -w -t mangle -A IPS_SCAN_OUT \
+                               -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
                 fi
         done
author	Michael Tremer <michael.tremer@ipfire.org>
	Sun, 22 Sep 2024 15:06:21 +0000 (17:06 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 24 Sep 2024 08:45:26 +0000 (08:45 +0000)
src/initscripts/system/firewall		patch \| blob \| blame \| history
src/initscripts/system/suricata		patch \| blob \| blame \| history