From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Thu, 25 Apr 2019 17:31:46 +0000 (+0200)
Subject: firewall: Use seperate firewall chains for passing traffic to the IPS
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=686c4b9f25d2c2edfc4fe851f84a78e04eaee330;p=people%2Fms%2Fipfire-2.x.git

firewall: Use seperate firewall chains for passing traffic to the IPS

Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
to be more flexible which kind of traffic should be passed to suricata.

Reference #12062

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index be6c9169f3..da89857d8b 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -186,10 +186,12 @@ iptables_init() {
 	iptables -A FORWARD -j GUARDIAN
 
 	# IPS (suricata) chains
-	iptables -N IPS
-	iptables -A INPUT -j IPS
-	iptables -A FORWARD -j IPS
-	iptables -A OUTPUT -j IPS
+	iptables -N IPS_INPUT
+	iptables -N IPS_FORWARD
+	iptables -N IPS_OUTPUT
+	iptables -A INPUT -j IPS_INPUT
+	iptables -A FORWARD -j IPS_FORWARD
+	iptables -A OUTPUT -j IPS_OUTPUT
 
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK