suricata: Add code to create iptables rules to the initscript

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index a49da8335d3a52f2b454e15e0c07d691a7310b56..60a00cc484cfe0bd171d7a7f0b4d6891efc1d524 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -17,9 +17,21 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
 
+# Name of the firewall chain.
+FW_CHAIN="IPS"
+
+# Optional options for the Netfilter queue.
+NFQ_OPTS="--queue-bypass "
+
+# Array containing the 4 possible network zones.
+network_zones=( red green blue orange )
+
+# Mark and Mask options.
+MARK="0x1"
+MASK="0x1"
+
 case "$1" in
         start)
                # Get amount of CPU cores.
@@ -29,15 +41,53 @@ case "$1" in
                        [ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++))
                done </proc/cpuinfo
 
-               boot_mesg "Starting Intrusion Detection System..."
-                /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
-                       evaluate_retval
+               # Check if the IDS should be started.
+               if [ "$ENABLE_IDS" == "on" ]; then
+                       # Loop through the array of network zones.
+                       for zone in "${network_zones[@]}"; do
+                               # Convert zone into upper case.
+                               zone_upper=${zone^^}
+
+                               # Check if the IDS is enabled for this network zone.
+                               if [ "$ENABLE_IDS_$$zone_upper" == "on" ]; then
+                                       # Generate name of the network interface.
+                                       network_device=$zone
+                                       network_device+="0"
+
+                                       # Assign NFQ_OPTS
+                                       NFQ_OPTIONS=$NFQ_OPTS
+
+                                       # Check if there are multiple cpu cores available.
+                                       if [ "$CPUCOUNT" > 0 ]; then
+                                               # Balance beetween all queues.
+                                               NFQ_OPTIONS+="--queue-balance 0:"
+                                               NFQ_OPTIONS+=$(($CPUCOUNT-1))
+                                       else
+                                               # Send all packets to queue 0.
+                                               NFQ_OPTIONS+="--queue-num 0"
+                                       fi
+
+                                       # Create firewall rules to queue the traffic and pass to
+                                       # the IDS.
+                                       iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+                                       iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+                               fi
+                       done
+
+                       # Start the IDS.
+                       boot_mesg "Starting Intrusion Detection System..."
+                       /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
+                       evaluate_retval
+               fi
        ;;
 
         stop)
                boot_mesg "Stopping Intrusion Detection System..."
                killproc -p /var/run/suricata.pid /var/run
 
+               # Flush firewall chain.
+               iptables -F $FW_CHAIN
+
                # Remove suricata control socket.              
                rm /var/run/suricata/* >/dev/null 2>/dev/null