From 525ff6d74dac833854dde69a152e98f1b5fd14d2 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 10 Sep 2024 11:37:38 +0200
Subject: [PATCH] firewall: Move the IPS after the NAT marking

This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.

Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5d37cffd77..7dbbe38cb3 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -221,13 +221,6 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
-	# IPS (Suricata) chains
-	iptables -t mangle -N IPS
-
-	for chain in PREROUTING POSTROUTING; do
-		iptables -t mangle -A "${chain}" -j IPS
-	done
-
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
 	iptables -t nat -A POSTROUTING -j OVPNNAT
@@ -382,6 +375,13 @@ iptables_init() {
 			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi
 
+	# IPS (Suricata) chains
+	iptables -t mangle -N IPS
+
+	for chain in PREROUTING POSTROUTING; do
+		iptables -t mangle -A "${chain}" -j IPS
+	done
+
 	# RED chain, used for the red interface
 	iptables -N REDINPUT
 	iptables -A INPUT -j REDINPUT
-- 
2.39.5