Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
to be more flexible which kind of traffic should be passed to suricata.
Reference #12062
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
iptables -A FORWARD -j GUARDIAN
# IPS (suricata) chains
- iptables -N IPS
- iptables -A INPUT -j IPS
- iptables -A FORWARD -j IPS
- iptables -A OUTPUT -j IPS
+ iptables -N IPS_INPUT
+ iptables -N IPS_FORWARD
+ iptables -N IPS_OUTPUT
+ iptables -A INPUT -j IPS_INPUT
+ iptables -A FORWARD -j IPS_FORWARD
+ iptables -A OUTPUT -j IPS_OUTPUT
# Block non-established IPsec networks
iptables -N IPSECBLOCK