firewall: Move the IPS back to INPUT/FORWARD/OUTPUT

We cannot use the PREROUTING/POSTROUTING chains here because Suricata
will fail to track NAT-ed connections.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 7dbbe38cb334d110341291c736eeb1a605f5e58a..ab4833a7f1df7851995dbdb8c046e211c37e472e 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -378,7 +378,7 @@ iptables_init() {
        # IPS (Suricata) chains
        iptables -t mangle -N IPS
 
-       for chain in PREROUTING POSTROUTING; do
+       for chain in INPUT FORWARD OUTPUT; do
                iptables -t mangle -A "${chain}" -j IPS
        done