avoid emitting VPN traffic to the internet if the IPS crashed

Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
OpenVPN) destinations was emitted to the internet (ppp0 or red0
interface) directly if the IPS was enabled but crashed during operation.

This patch places the IPSECBLOCK and OVPNBLOCK chains before the
ones responsible for forwarding traffic into the IPS.

Thanks to Michael for his debugging effort.

Partially fixes #12257

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ec396c708c8e6b03396b0033ce2649fb61dec09b..ab144ea18c95579b8ed20af4ea9ceae566f56d1a 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -185,14 +185,6 @@ iptables_init() {
        iptables -A INPUT -j GUARDIAN
        iptables -A FORWARD -j GUARDIAN
 
-       # IPS (suricata) chains
-       iptables -N IPS_INPUT
-       iptables -N IPS_FORWARD
-       iptables -N IPS_OUTPUT
-       iptables -A INPUT -j IPS_INPUT
-       iptables -A FORWARD -j IPS_FORWARD
-       iptables -A OUTPUT -j IPS_OUTPUT
-
        # Block non-established IPsec networks
        iptables -N IPSECBLOCK
        iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
@@ -204,6 +196,14 @@ iptables_init() {
        iptables -A FORWARD -i tun+ -j OVPNBLOCK
        iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
+       # IPS (suricata) chains
+       iptables -N IPS_INPUT
+       iptables -N IPS_FORWARD
+       iptables -N IPS_OUTPUT
+       iptables -A INPUT -j IPS_INPUT
+       iptables -A FORWARD -j IPS_FORWARD
+       iptables -A OUTPUT -j IPS_OUTPUT
+
        # OpenVPN transfer network translation
        iptables -t nat -N OVPNNAT
        iptables -t nat -A POSTROUTING -j OVPNNAT