enabled_ips_zones=()
# Mark and Mask options.
-MARK="0x80000000"
-MASK="0x80000000"
+REPEAT_MARK="0x80000000"
+REPEAT_MASK="0x80000000"
# PID file of suricata.
PID_FILE="/var/run/suricata.pid"
# Loop through the array and create firewall rules.
for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
# Create rules queue input and output related traffic and pass it to the IPS.
- iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
- iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
# Create rules which are required to handle forwarded traffic.
for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
- iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
done
done
# Clear repeat bit, so that it does not confuse IPsec or QoS
- iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
- iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
- iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+ iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+ iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+ iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
fi
}