firewall: Move the IPS after the NAT marking

This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.

Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5d37cffd775660c6d1ddc62565310889b451afcc..7dbbe38cb334d110341291c736eeb1a605f5e58a 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -221,13 +221,6 @@ iptables_init() {
        iptables -A FORWARD -i tun+ -j OVPNBLOCK
        iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
-       # IPS (Suricata) chains
-       iptables -t mangle -N IPS
-
-       for chain in PREROUTING POSTROUTING; do
-               iptables -t mangle -A "${chain}" -j IPS
-       done
-
        # OpenVPN transfer network translation
        iptables -t nat -N OVPNNAT
        iptables -t nat -A POSTROUTING -j OVPNNAT
@@ -382,6 +375,13 @@ iptables_init() {
                        -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
        fi
 
+       # IPS (Suricata) chains
+       iptables -t mangle -N IPS
+
+       for chain in PREROUTING POSTROUTING; do
+               iptables -t mangle -A "${chain}" -j IPS
+       done
+
        # RED chain, used for the red interface
        iptables -N REDINPUT
        iptables -A INPUT -j REDINPUT