firewall: Use seperate firewall chains for passing traffic to the IPS
authorStefan Schantl <stefan.schantl@ipfire.org>
Thu, 25 Apr 2019 17:31:46 +0000 (19:31 +0200)
committerArne Fitzenreiter <arne_f@ipfire.org>
Fri, 26 Apr 2019 05:46:15 +0000 (07:46 +0200)
Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
to be more flexible which kind of traffic should be passed to suricata.

Reference #12062

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
src/initscripts/system/firewall

index be6c916..da89857 100644 (file)
@@ -186,10 +186,12 @@ iptables_init() {
        iptables -A FORWARD -j GUARDIAN
 
        # IPS (suricata) chains
-       iptables -N IPS
-       iptables -A INPUT -j IPS
-       iptables -A FORWARD -j IPS
-       iptables -A OUTPUT -j IPS
+       iptables -N IPS_INPUT
+       iptables -N IPS_FORWARD
+       iptables -N IPS_OUTPUT
+       iptables -A INPUT -j IPS_INPUT
+       iptables -A FORWARD -j IPS_FORWARD
+       iptables -A OUTPUT -j IPS_OUTPUT
 
        # Block non-established IPsec networks
        iptables -N IPSECBLOCK